diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 65cb2d00635..b6ee683d4fc 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1103,6 +1103,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Print Safe Outputs env: GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} diff --git a/pkg/cli/workflows/test-ai-inference-github-models.lock.yml b/pkg/cli/workflows/test-ai-inference-github-models.lock.yml index 7dd98346417..9d99bea9a20 100644 --- a/pkg/cli/workflows/test-ai-inference-github-models.lock.yml +++ b/pkg/cli/workflows/test-ai-inference-github-models.lock.yml @@ -308,6 +308,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-all.lock.yml b/pkg/cli/workflows/test-all.lock.yml index fc559819510..d2382d80f27 100644 --- a/pkg/cli/workflows/test-all.lock.yml +++ b/pkg/cli/workflows/test-all.lock.yml @@ -1457,6 +1457,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Print Safe Outputs env: GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} diff --git a/pkg/cli/workflows/test-claude-add-issue-comment.lock.yml b/pkg/cli/workflows/test-claude-add-issue-comment.lock.yml index 145d75baa04..9c37ae38255 100644 --- a/pkg/cli/workflows/test-claude-add-issue-comment.lock.yml +++ b/pkg/cli/workflows/test-claude-add-issue-comment.lock.yml @@ -303,6 +303,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-claude-add-issue-labels.lock.yml b/pkg/cli/workflows/test-claude-add-issue-labels.lock.yml index 7ba5b0a1a79..2a928baebd6 100644 --- a/pkg/cli/workflows/test-claude-add-issue-labels.lock.yml +++ b/pkg/cli/workflows/test-claude-add-issue-labels.lock.yml @@ -303,6 +303,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-claude-cache-memory.lock.yml b/pkg/cli/workflows/test-claude-cache-memory.lock.yml index 634b383a649..0b7ffd5d6d0 100644 --- a/pkg/cli/workflows/test-claude-cache-memory.lock.yml +++ b/pkg/cli/workflows/test-claude-cache-memory.lock.yml @@ -393,6 +393,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-claude-command.lock.yml b/pkg/cli/workflows/test-claude-command.lock.yml index 56dd9d9dc98..1763d22d875 100644 --- a/pkg/cli/workflows/test-claude-command.lock.yml +++ b/pkg/cli/workflows/test-claude-command.lock.yml @@ -305,6 +305,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-claude-create-issue.lock.yml b/pkg/cli/workflows/test-claude-create-issue.lock.yml index 39301fe673f..91039eb0b41 100644 --- a/pkg/cli/workflows/test-claude-create-issue.lock.yml +++ b/pkg/cli/workflows/test-claude-create-issue.lock.yml @@ -303,6 +303,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-claude-create-pull-request-review-comment.lock.yml b/pkg/cli/workflows/test-claude-create-pull-request-review-comment.lock.yml index 6f52d244f60..6fecfb5946d 100644 --- a/pkg/cli/workflows/test-claude-create-pull-request-review-comment.lock.yml +++ b/pkg/cli/workflows/test-claude-create-pull-request-review-comment.lock.yml @@ -303,6 +303,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-claude-create-pull-request.lock.yml b/pkg/cli/workflows/test-claude-create-pull-request.lock.yml index 5b1ad001e5b..836d67a999c 100644 --- a/pkg/cli/workflows/test-claude-create-pull-request.lock.yml +++ b/pkg/cli/workflows/test-claude-create-pull-request.lock.yml @@ -310,6 +310,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-claude-create-repository-security-advisory.lock.yml b/pkg/cli/workflows/test-claude-create-repository-security-advisory.lock.yml index 4aa4764c202..f4ac5297dd1 100644 --- a/pkg/cli/workflows/test-claude-create-repository-security-advisory.lock.yml +++ b/pkg/cli/workflows/test-claude-create-repository-security-advisory.lock.yml @@ -306,6 +306,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-claude-markitdown-mcp.lock.yml b/pkg/cli/workflows/test-claude-markitdown-mcp.lock.yml index 59df36dbafb..d764a28e64b 100644 --- a/pkg/cli/workflows/test-claude-markitdown-mcp.lock.yml +++ b/pkg/cli/workflows/test-claude-markitdown-mcp.lock.yml @@ -316,6 +316,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-claude-max-patch-size.lock.yml b/pkg/cli/workflows/test-claude-max-patch-size.lock.yml index f5377940218..b4b1964878b 100644 --- a/pkg/cli/workflows/test-claude-max-patch-size.lock.yml +++ b/pkg/cli/workflows/test-claude-max-patch-size.lock.yml @@ -950,6 +950,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Print Safe Outputs env: GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} diff --git a/pkg/cli/workflows/test-claude-mcp.lock.yml b/pkg/cli/workflows/test-claude-mcp.lock.yml index dd2d79dc342..7d75ad80f33 100644 --- a/pkg/cli/workflows/test-claude-mcp.lock.yml +++ b/pkg/cli/workflows/test-claude-mcp.lock.yml @@ -308,6 +308,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-claude-missing-tool.lock.yml b/pkg/cli/workflows/test-claude-missing-tool.lock.yml index 3ee777ae505..df5bec945b0 100644 --- a/pkg/cli/workflows/test-claude-missing-tool.lock.yml +++ b/pkg/cli/workflows/test-claude-missing-tool.lock.yml @@ -1009,6 +1009,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Print Safe Outputs env: GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} diff --git a/pkg/cli/workflows/test-claude-patch-size-exceeded.lock.yml b/pkg/cli/workflows/test-claude-patch-size-exceeded.lock.yml index 78cc5441c33..c85df40e892 100644 --- a/pkg/cli/workflows/test-claude-patch-size-exceeded.lock.yml +++ b/pkg/cli/workflows/test-claude-patch-size-exceeded.lock.yml @@ -952,6 +952,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Print Safe Outputs env: GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} diff --git a/pkg/cli/workflows/test-claude-push-to-pull-request-branch.lock.yml b/pkg/cli/workflows/test-claude-push-to-pull-request-branch.lock.yml index 510d820295d..a3652273b33 100644 --- a/pkg/cli/workflows/test-claude-push-to-pull-request-branch.lock.yml +++ b/pkg/cli/workflows/test-claude-push-to-pull-request-branch.lock.yml @@ -310,6 +310,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-claude-update-issue.lock.yml b/pkg/cli/workflows/test-claude-update-issue.lock.yml index 44fe0bf0ef7..e5286c21c20 100644 --- a/pkg/cli/workflows/test-claude-update-issue.lock.yml +++ b/pkg/cli/workflows/test-claude-update-issue.lock.yml @@ -306,6 +306,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-long.lock.yml b/pkg/cli/workflows/test-long.lock.yml index 853452094a0..8c6b8b63117 100644 --- a/pkg/cli/workflows/test-long.lock.yml +++ b/pkg/cli/workflows/test-long.lock.yml @@ -687,6 +687,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-mcps-custom.lock.yml b/pkg/cli/workflows/test-mcps-custom.lock.yml index 70cf35c79f1..f1111d546ee 100644 --- a/pkg/cli/workflows/test-mcps-custom.lock.yml +++ b/pkg/cli/workflows/test-mcps-custom.lock.yml @@ -424,6 +424,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Upload MCP logs if: always() uses: actions/upload-artifact@v4 diff --git a/pkg/cli/workflows/test-playwright-accessibility-contrast.lock.yml b/pkg/cli/workflows/test-playwright-accessibility-contrast.lock.yml index 35b2f0c1f91..f60d64fa7e8 100644 --- a/pkg/cli/workflows/test-playwright-accessibility-contrast.lock.yml +++ b/pkg/cli/workflows/test-playwright-accessibility-contrast.lock.yml @@ -967,6 +967,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Print Safe Outputs env: GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} diff --git a/pkg/cli/workflows/test-playwright-screenshots.lock.yml b/pkg/cli/workflows/test-playwright-screenshots.lock.yml index 61e96d9ae15..d93da72e482 100644 --- a/pkg/cli/workflows/test-playwright-screenshots.lock.yml +++ b/pkg/cli/workflows/test-playwright-screenshots.lock.yml @@ -1115,6 +1115,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Print Safe Outputs env: GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} diff --git a/pkg/cli/workflows/test-safe-jobs.lock.yml b/pkg/cli/workflows/test-safe-jobs.lock.yml index 9813a1648d1..fe47509bbdc 100644 --- a/pkg/cli/workflows/test-safe-jobs.lock.yml +++ b/pkg/cli/workflows/test-safe-jobs.lock.yml @@ -1153,6 +1153,12 @@ jobs: # Show last few lines for debugging echo "=== Last 10 lines of Claude execution log ===" tail -10 /tmp/agent-stdio.log || echo "No log content available" + - name: Clean up network proxy hook files + if: always() + run: | + rm -rf .claude/hooks/network_permissions.py || true + rm -rf .claude/hooks || true + rm -rf .claude || true - name: Print Safe Outputs env: GITHUB_AW_SAFE_OUTPUTS: ${{ env.GITHUB_AW_SAFE_OUTPUTS }} diff --git a/pkg/workflow/agentic_output_test.go b/pkg/workflow/agentic_output_test.go index 7f3073bc0b6..fffc25a7c21 100644 --- a/pkg/workflow/agentic_output_test.go +++ b/pkg/workflow/agentic_output_test.go @@ -301,6 +301,144 @@ This workflow tests that /tmp/ files are excluded from cleanup. t.Log("Successfully verified that /tmp/ files are excluded from cleanup step while still being uploaded as artifacts") } +func TestClaudeEngineNetworkHookCleanup(t *testing.T) { + engine := NewClaudeEngine() + + t.Run("Network hook cleanup with Claude engine and network permissions", func(t *testing.T) { + // Test data with Claude engine and network permissions + data := &WorkflowData{ + Name: "test-workflow", + EngineConfig: &EngineConfig{ + ID: "claude", + Model: "claude-3-5-sonnet-20241022", + }, + NetworkPermissions: &NetworkPermissions{ + Allowed: []string{"example.com", "*.trusted.com"}, + }, + } + + steps := engine.GetExecutionSteps(data, "/tmp/test.log") + + // Convert all steps to string for analysis + var allStepsStr strings.Builder + for _, step := range steps { + allStepsStr.WriteString(strings.Join(step, "\n")) + allStepsStr.WriteString("\n") + } + result := allStepsStr.String() + + // Verify cleanup step is generated + if !strings.Contains(result, "- name: Clean up network proxy hook files") { + t.Error("Expected cleanup step to be generated with Claude engine and network permissions") + } + + // Verify if: always() condition + if !strings.Contains(result, "if: always()") { + t.Error("Expected cleanup step to have 'if: always()' condition") + } + + // Verify cleanup commands + if !strings.Contains(result, "rm -rf .claude/hooks/network_permissions.py || true") { + t.Error("Expected cleanup step to remove network_permissions.py") + } + + if !strings.Contains(result, "rm -rf .claude/hooks || true") { + t.Error("Expected cleanup step to remove hooks directory") + } + + if !strings.Contains(result, "rm -rf .claude || true") { + t.Error("Expected cleanup step to remove .claude directory") + } + }) + + t.Run("Cleanup with Claude engine and defaults network permissions", func(t *testing.T) { + // Test data with Claude engine and defaults network permissions + // (This simulates what happens when no network section is specified - defaults to "defaults" mode) + data := &WorkflowData{ + Name: "test-workflow", + EngineConfig: &EngineConfig{ + ID: "claude", + Model: "claude-3-5-sonnet-20241022", + }, + NetworkPermissions: &NetworkPermissions{ + Mode: "defaults", // Default network mode + }, + } + + steps := engine.GetExecutionSteps(data, "/tmp/test.log") + + // Convert all steps to string for analysis + var allStepsStr strings.Builder + for _, step := range steps { + allStepsStr.WriteString(strings.Join(step, "\n")) + allStepsStr.WriteString("\n") + } + result := allStepsStr.String() + + // Verify cleanup step is generated for defaults mode + if !strings.Contains(result, "- name: Clean up network proxy hook files") { + t.Error("Expected cleanup step to be generated with defaults network permissions") + } + }) + + t.Run("No cleanup with Claude engine but no network permissions", func(t *testing.T) { + // Test data with Claude engine but no network permissions + data := &WorkflowData{ + Name: "test-workflow", + EngineConfig: &EngineConfig{ + ID: "claude", + Model: "claude-3-5-sonnet-20241022", + }, + NetworkPermissions: nil, // No network permissions + } + + steps := engine.GetExecutionSteps(data, "/tmp/test.log") + + // Convert all steps to string for analysis + var allStepsStr strings.Builder + for _, step := range steps { + allStepsStr.WriteString(strings.Join(step, "\n")) + allStepsStr.WriteString("\n") + } + result := allStepsStr.String() + + // Verify no cleanup step is generated + if strings.Contains(result, "- name: Clean up network proxy hook files") { + t.Error("Expected no cleanup step to be generated without network permissions") + } + }) + + t.Run("Cleanup with empty network permissions (deny-all)", func(t *testing.T) { + // Test data with Claude engine and empty network permissions (deny-all) + data := &WorkflowData{ + Name: "test-workflow", + EngineConfig: &EngineConfig{ + ID: "claude", + Model: "claude-3-5-sonnet-20241022", + }, + NetworkPermissions: &NetworkPermissions{ + Allowed: []string{}, // Empty allowed list (deny-all, but still uses hooks) + }, + } + + steps := engine.GetExecutionSteps(data, "/tmp/test.log") + + // Convert all steps to string for analysis + var allStepsStr strings.Builder + for _, step := range steps { + allStepsStr.WriteString(strings.Join(step, "\n")) + allStepsStr.WriteString("\n") + } + result := allStepsStr.String() + + // Verify cleanup step is generated even for deny-all policy + // because hooks are still created for deny-all enforcement + if !strings.Contains(result, "- name: Clean up network proxy hook files") { + t.Error("Expected cleanup step to be generated even with deny-all network permissions") + } + }) +} + func TestEngineOutputCleanupWithMixedPaths(t *testing.T) { // Test the cleanup logic directly with mixed paths to ensure proper filtering var yaml strings.Builder diff --git a/pkg/workflow/claude_engine.go b/pkg/workflow/claude_engine.go index c0b61a7c8d0..779532e25b6 100644 --- a/pkg/workflow/claude_engine.go +++ b/pkg/workflow/claude_engine.go @@ -34,7 +34,7 @@ func (e *ClaudeEngine) GetInstallationSteps(workflowData *WorkflowData) []GitHub var steps []GitHubActionStep // Check if network permissions are configured (only for Claude engine) - if workflowData.EngineConfig != nil && workflowData.EngineConfig.ID == "claude" && ShouldEnforceNetworkPermissions(workflowData.NetworkPermissions) { + if workflowData.EngineConfig != nil && ShouldEnforceNetworkPermissions(workflowData.NetworkPermissions) { // Generate network hook generator and settings generator hookGenerator := &NetworkHookGenerator{} settingsGenerator := &ClaudeSettingsGenerator{} @@ -112,7 +112,7 @@ func (e *ClaudeEngine) GetExecutionSteps(workflowData *WorkflowData, logFile str claudeArgs = append(claudeArgs, "--output-format", "json") // Add network settings if configured - if workflowData.EngineConfig != nil && workflowData.EngineConfig.ID == "claude" && ShouldEnforceNetworkPermissions(workflowData.NetworkPermissions) { + if workflowData.EngineConfig != nil && ShouldEnforceNetworkPermissions(workflowData.NetworkPermissions) { claudeArgs = append(claudeArgs, "--settings", "/tmp/.claude/settings.json") } @@ -222,6 +222,19 @@ func (e *ClaudeEngine) GetExecutionSteps(workflowData *WorkflowData, logFile str // Add the log capture step using shared helper function steps = append(steps, generateLogCaptureStep("Claude", logFile)) + // Add cleanup step for network proxy hook files (if proxy was enabled) + if workflowData.EngineConfig != nil && ShouldEnforceNetworkPermissions(workflowData.NetworkPermissions) { + cleanupStep := GitHubActionStep{ + " - name: Clean up network proxy hook files", + " if: always()", + " run: |", + " rm -rf .claude/hooks/network_permissions.py || true", + " rm -rf .claude/hooks || true", + " rm -rf .claude || true", + } + steps = append(steps, cleanupStep) + } + return steps }