From 207b63c79a87e40427950d881c221acc623d9fb6 Mon Sep 17 00:00:00 2001
From: "Jiaxiao (mossaka) Zhou" <duibao55328@gmail.com>
Date: Sat, 21 Feb 2026 01:00:51 +0000
Subject: [PATCH 1/2] Pre-seed Maven/Gradle/sbt proxy config in agent container

Java build tools do not honor HTTP_PROXY/HTTPS_PROXY env vars and need
explicit proxy configuration. Pre-seed these files in the container
entrypoint so JVM-based builds work automatically:

- ~/.m2/settings.xml (Maven proxy)
- ~/.gradle/gradle.properties (Gradle proxy)
- JAVA_TOOL_OPTIONS with proxy JVM flags (sbt/generic Java)

This unblocks Java, Kotlin, Clojure, and Scala builds without requiring
the agent to discover the proxy configuration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 containers/agent/entrypoint.sh | 60 ++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/containers/agent/entrypoint.sh b/containers/agent/entrypoint.sh
index 4f8170c8..17eabc74 100644
--- a/containers/agent/entrypoint.sh
+++ b/containers/agent/entrypoint.sh
@@ -162,6 +162,66 @@ if [ -n "$CLAUDE_CODE_API_KEY_HELPER" ]; then
   fi
 fi
 
+# Pre-seed JVM build tool proxy configuration
+# Java build tools (Maven, Gradle, sbt) do not honor HTTP_PROXY/HTTPS_PROXY env vars
+# and need explicit proxy configuration files
+if [ -n "$HTTP_PROXY" ]; then
+  # Extract proxy host and port from HTTP_PROXY (format: http://IP:PORT)
+  PROXY_HOST="${HTTP_PROXY#http://}"
+  PROXY_HOST="${PROXY_HOST%:*}"
+  PROXY_PORT="${SQUID_PROXY_PORT:-3128}"
+
+  # Determine path prefix for config files (chroot-aware, same pattern as .claude.json)
+  if [ "${AWF_CHROOT_ENABLED}" = "true" ]; then
+    JVM_HOME_PREFIX="/host${HOME}"
+  else
+    JVM_HOME_PREFIX="${HOME}"
+  fi
+
+  echo "[entrypoint] Pre-seeding JVM build tool proxy configuration (${PROXY_HOST}:${PROXY_PORT})..."
+
+  # Maven proxy config (~/.m2/settings.xml)
+  mkdir -p "${JVM_HOME_PREFIX}/.m2"
+  cat > "${JVM_HOME_PREFIX}/.m2/settings.xml" << MAVEN_EOF
+<settings>
+  <proxies>
+    <proxy>
+      <id>awf-http</id>
+      <active>true</active>
+      <protocol>http</protocol>
+      <host>${PROXY_HOST}</host>
+      <port>${PROXY_PORT}</port>
+    </proxy>
+    <proxy>
+      <id>awf-https</id>
+      <active>true</active>
+      <protocol>https</protocol>
+      <host>${PROXY_HOST}</host>
+      <port>${PROXY_PORT}</port>
+    </proxy>
+  </proxies>
+</settings>
+MAVEN_EOF
+  chown awfuser:awfuser "${JVM_HOME_PREFIX}/.m2/settings.xml" 2>/dev/null || true
+  echo "[entrypoint] ✓ Created Maven proxy config (${JVM_HOME_PREFIX}/.m2/settings.xml)"
+
+  # Gradle proxy config (~/.gradle/gradle.properties)
+  mkdir -p "${JVM_HOME_PREFIX}/.gradle"
+  cat > "${JVM_HOME_PREFIX}/.gradle/gradle.properties" << GRADLE_EOF
+systemProp.http.proxyHost=${PROXY_HOST}
+systemProp.http.proxyPort=${PROXY_PORT}
+systemProp.https.proxyHost=${PROXY_HOST}
+systemProp.https.proxyPort=${PROXY_PORT}
+GRADLE_EOF
+  chown awfuser:awfuser "${JVM_HOME_PREFIX}/.gradle/gradle.properties" 2>/dev/null || true
+  echo "[entrypoint] ✓ Created Gradle proxy config (${JVM_HOME_PREFIX}/.gradle/gradle.properties)"
+
+  # sbt/JVM proxy config via JAVA_TOOL_OPTIONS
+  # This covers sbt and any JVM tool that reads standard system properties
+  export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} -Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}"
+  echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy flags"
+fi
+
 # Print proxy environment
 echo "[entrypoint] Proxy configuration:"
 echo "[entrypoint]   HTTP_PROXY=$HTTP_PROXY"

From 2d8ac642b30f9bf3ce729f4146a1fc26daed9294 Mon Sep 17 00:00:00 2001
From: "Jiaxiao (mossaka) Zhou" <duibao55328@gmail.com>
Date: Tue, 24 Feb 2026 02:07:33 +0000
Subject: [PATCH 2/2] fix: address review feedback on JVM proxy config

- Use SQUID_PROXY_HOST/SQUID_PROXY_PORT directly instead of brittle HTTP_PROXY
  parsing; keep improved fallback that handles https://, credentials, and IPv6
- Only create Maven settings.xml and Gradle gradle.properties if they don't
  already exist, to avoid clobbering user-provided configuration
- Derive Java nonProxyHosts from NO_PROXY env var (comma-to-pipe conversion)
  so JVM tools don't attempt to proxy localhost/127.0.0.1 traffic

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 containers/agent/entrypoint.sh | 56 ++++++++++++++++++++++++++--------
 1 file changed, 44 insertions(+), 12 deletions(-)

diff --git a/containers/agent/entrypoint.sh b/containers/agent/entrypoint.sh
index 17eabc74..29eb17a8 100644
--- a/containers/agent/entrypoint.sh
+++ b/containers/agent/entrypoint.sh
@@ -166,10 +166,21 @@ fi
 # Java build tools (Maven, Gradle, sbt) do not honor HTTP_PROXY/HTTPS_PROXY env vars
 # and need explicit proxy configuration files
 if [ -n "$HTTP_PROXY" ]; then
-  # Extract proxy host and port from HTTP_PROXY (format: http://IP:PORT)
-  PROXY_HOST="${HTTP_PROXY#http://}"
-  PROXY_HOST="${PROXY_HOST%:*}"
-  PROXY_PORT="${SQUID_PROXY_PORT:-3128}"
+  # Determine proxy host and port for JVM tools.
+  # Prefer SQUID_PROXY_HOST/SQUID_PROXY_PORT (set by docker-manager.ts) over parsing HTTP_PROXY,
+  # since HTTP_PROXY parsing is brittle (doesn't handle https://, credentials, IPv6, etc.)
+  if [ -n "$SQUID_PROXY_HOST" ] && [ -n "$SQUID_PROXY_PORT" ]; then
+    PROXY_HOST="$SQUID_PROXY_HOST"
+    PROXY_PORT="$SQUID_PROXY_PORT"
+  else
+    # Fallback: extract from HTTP_PROXY (format: http://HOST:PORT)
+    PROXY_HOST="${HTTP_PROXY#http://}"
+    PROXY_HOST="${PROXY_HOST#https://}"
+    PROXY_HOST="${PROXY_HOST#*@}"       # strip credentials if present
+    PROXY_PORT="${PROXY_HOST##*:}"      # extract port after last colon
+    PROXY_HOST="${PROXY_HOST%:*}"       # strip port
+    PROXY_PORT="${PROXY_PORT:-3128}"    # default port
+  fi
 
   # Determine path prefix for config files (chroot-aware, same pattern as .claude.json)
   if [ "${AWF_CHROOT_ENABLED}" = "true" ]; then
@@ -181,8 +192,10 @@ if [ -n "$HTTP_PROXY" ]; then
   echo "[entrypoint] Pre-seeding JVM build tool proxy configuration (${PROXY_HOST}:${PROXY_PORT})..."
 
   # Maven proxy config (~/.m2/settings.xml)
+  # Only create if the file does not already exist, to avoid clobbering user-provided settings
   mkdir -p "${JVM_HOME_PREFIX}/.m2"
-  cat > "${JVM_HOME_PREFIX}/.m2/settings.xml" << MAVEN_EOF
+  if [ ! -f "${JVM_HOME_PREFIX}/.m2/settings.xml" ]; then
+    cat > "${JVM_HOME_PREFIX}/.m2/settings.xml" << MAVEN_EOF
 <settings>
   <proxies>
     <proxy>
@@ -202,24 +215,43 @@ if [ -n "$HTTP_PROXY" ]; then
   </proxies>
 </settings>
 MAVEN_EOF
-  chown awfuser:awfuser "${JVM_HOME_PREFIX}/.m2/settings.xml" 2>/dev/null || true
-  echo "[entrypoint] ✓ Created Maven proxy config (${JVM_HOME_PREFIX}/.m2/settings.xml)"
+    chown awfuser:awfuser "${JVM_HOME_PREFIX}/.m2/settings.xml" 2>/dev/null || true
+    echo "[entrypoint] ✓ Created Maven proxy config (${JVM_HOME_PREFIX}/.m2/settings.xml)"
+  else
+    echo "[entrypoint] ✓ Maven settings.xml already exists, skipping proxy config creation"
+  fi
 
   # Gradle proxy config (~/.gradle/gradle.properties)
+  # Only create if the file does not already exist, to avoid clobbering user-provided settings
+  # (e.g., org.gradle.jvmargs, build cache settings, private repo credentials)
   mkdir -p "${JVM_HOME_PREFIX}/.gradle"
-  cat > "${JVM_HOME_PREFIX}/.gradle/gradle.properties" << GRADLE_EOF
+  if [ ! -f "${JVM_HOME_PREFIX}/.gradle/gradle.properties" ]; then
+    cat > "${JVM_HOME_PREFIX}/.gradle/gradle.properties" << GRADLE_EOF
 systemProp.http.proxyHost=${PROXY_HOST}
 systemProp.http.proxyPort=${PROXY_PORT}
 systemProp.https.proxyHost=${PROXY_HOST}
 systemProp.https.proxyPort=${PROXY_PORT}
 GRADLE_EOF
-  chown awfuser:awfuser "${JVM_HOME_PREFIX}/.gradle/gradle.properties" 2>/dev/null || true
-  echo "[entrypoint] ✓ Created Gradle proxy config (${JVM_HOME_PREFIX}/.gradle/gradle.properties)"
+    chown awfuser:awfuser "${JVM_HOME_PREFIX}/.gradle/gradle.properties" 2>/dev/null || true
+    echo "[entrypoint] ✓ Created Gradle proxy config (${JVM_HOME_PREFIX}/.gradle/gradle.properties)"
+  else
+    echo "[entrypoint] ✓ Gradle gradle.properties already exists, skipping proxy config creation"
+  fi
 
   # sbt/JVM proxy config via JAVA_TOOL_OPTIONS
   # This covers sbt and any JVM tool that reads standard system properties
-  export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} -Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}"
-  echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy flags"
+  # Also set nonProxyHosts from NO_PROXY to prevent JVM tools from proxying localhost traffic
+  NON_PROXY_RAW="${NO_PROXY:-${no_proxy:-}}"
+  JVM_PROXY_FLAGS="-Dhttp.proxyHost=${PROXY_HOST} -Dhttp.proxyPort=${PROXY_PORT} -Dhttps.proxyHost=${PROXY_HOST} -Dhttps.proxyPort=${PROXY_PORT}"
+  if [ -n "$NON_PROXY_RAW" ]; then
+    # Convert comma-separated NO_PROXY to Java's pipe-separated nonProxyHosts format
+    NON_PROXY_HOSTS=$(printf '%s' "$NON_PROXY_RAW" | tr ',' '|' | tr -d ' ')
+    JVM_PROXY_FLAGS="${JVM_PROXY_FLAGS} -Dhttp.nonProxyHosts=${NON_PROXY_HOSTS} -Dhttps.nonProxyHosts=${NON_PROXY_HOSTS}"
+    echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy and nonProxyHosts flags"
+  else
+    echo "[entrypoint] ✓ Set JAVA_TOOL_OPTIONS with proxy flags"
+  fi
+  export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS:-} ${JVM_PROXY_FLAGS}"
 fi
 
 # Print proxy environment