Skip to content

Fix Squid egress-proxy crash from conflicting allowlist domains#30

Merged
dbroeglin merged 4 commits into
mainfrom
dbroeglin-import-deepswe-task
Jul 6, 2026
Merged

Fix Squid egress-proxy crash from conflicting allowlist domains#30
dbroeglin merged 4 commits into
mainfrom
dbroeglin-import-deepswe-task

Conversation

@dbroeglin

Copy link
Copy Markdown
Owner

Why

Every DeepSWE (air-gapped) trial was failing at environment startup with a confusing Could not find the file /logs/artifacts/model.patch error. The real cause was the copilot-cli agent's network allowlist crashing Pier's egress proxy before any agent could run.

Root cause

Pier enforces the agent NetworkAllowlist with a Squid egress proxy, rendering each domain into a dstdomain ACL entry. Our allowlist listed three domains both bare and as a .domain wildcard (github.com + .github.com, and the same for githubcopilot.com and githubusercontent.com). Squid treats that overlap as fatal:

ERROR: '.github.com' is a subdomain of 'github.com'
FATAL: Bungled ... acl allowed_domains dstdomain

The proxy container exits(1), the main agent container's service_healthy dependency fails, and Pier surfaces the misleading model.patch not found symptom downstream. I reproduced this deterministically in a standalone Squid container and confirmed the fix keeps the proxy running (Accepting HTTP Socket connections ... 0.0.0.0:8080).

The fix

Use dotted wildcards only: [".github.com", ".githubcopilot.com", ".githubusercontent.com", "gh.io"]. In Squid a leading-dot entry already matches the apex domain and all subdomains, so the bare entries were both redundant and fatal. gh.io stays bare (single redirector host with no subdomains we contact; its install redirect targets *.githubusercontent.com, already covered).

The test now asserts the wildcard forms are present and adds a regression guard that no domain may appear both bare and dotted, so this exact Squid conflict cannot be reintroduced silently. ADR 0022 records the constraint.

Notes for reviewers

  • This branch also merges the latest origin/main (the interactive HTML dashboards feature). The net PR diff is only the 4 files below; the merge itself was conflict-free.
  • origin/main independently added an ADR 0021, so this ADR was renumbered to 0022 and the index updated to keep numbers unique and ordered.
  • Anyone extending the allowlist must add the dotted form (e.g. .example.com), never the bare domain when subdomains are needed. A code comment and the test enforce this.

Validation

  • Reproduced the FATAL and verified the fix in a local Squid container.
  • uv run ruff check . clean; uv run pytest -q all 187 pass.

dbroeglin and others added 4 commits July 6, 2026 18:58
Pier enforces the copilot-cli agent's NetworkAllowlist with a Squid egress proxy. The allowlist listed three domains both bare and as a ".domain" wildcard (github.com/.github.com, etc.). Squid's dstdomain ACL treats that overlap as fatal ("'.github.com' is a subdomain of 'github.com'"), so the proxy container exited(1), the main container's service_healthy dependency failed, and every DeepSWE trial died with a misleading "model.patch not found" symptom.

Use dotted wildcards only; a leading-dot entry already matches the apex domain and all subdomains. Add a regression guard asserting no domain is listed both bare and dotted, plus ADR 0021 documenting the constraint.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
origin/main introduced its own ADR 0021 (interactive HTML dashboards). Renumber the copilot-cli egress-allowlist ADR to 0022 and add the dashboards row to the index so ADR numbers stay unique and ordered.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
The per-task 'Task suite coverage' table in report.summary_markdown read task['task_slug'], but _aggregate_task stores the slug under 'task'. Any summary with more than one task (e.g. a DeepSWE run) raised KeyError: 'task_slug' when rendering summary.md via list/show.

Use task['task'] to match the data contract and add a regression test that renders a two-task summary end to end through write_pier_summary.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
@dbroeglin
dbroeglin merged commit c772ee7 into main Jul 6, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant