fix: rewrite localhost URLs to host.docker.internal when firewall is enabled

[Copilot]

HTTP MCP servers configured with localhost URLs are inaccessible from inside firewall containers because localhost resolves to the container, not the host machine. The Daily Firewall Report workflow failed because the agent couldn't reach the gh-aw MCP server running on localhost:8765.

Changes

• URL rewriting in MCP config rendering: Added rewriteLocalhostToDockerHost() that rewrites localhost/127.0.0.1 URLs to host.docker.internal when firewall is enabled (sandbox agent not disabled)
• Propagated workflowData context: Updated Copilot, Claude, Custom, and Codex engine MCP renderers to pass sandbox configuration via closures
• New RewriteLocalhostToDocker flag: Added to MCPConfigRenderer struct to control URL rewriting behavior

Example

Before (fails inside container):

"gh-aw": {
  "type": "http",
  "url": "http://localhost:8765"
}

After (works inside container):

"gh-aw": {
  "type": "http", 
  "url": "http://host.docker.internal:8765"
}

The rewriting only applies when firewall is enabled. Setting sandbox.agent.disabled: true preserves localhost URLs.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git xterm-color gh 0/x64/bin/node git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login /ref/tags/v8 sh /usr/bin/git 6642601/run-1007infocmp infocmp 64/bin/go git -C etup-go/git/ref/tags/v6 rev-parse /usr/bin/gh ithub-script/gitgh e/git 64/pkg/tool/linu/repos/actions/github-script/git/ref/tags/v8 gh (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login runs/20260107-235213-35920/test-933456102/.github/workflows y /usr/bin/git 6675173/run-1019/tmp/gh-aw-compile-integration-579503576/gh-aw --jq 64/pkg/tool/linuadd git -C 3aee6377818e0f17--verbose rev-parse le-integration-2REDACTED /repos/actions/grm --jq ache/node/24.12./tmp/runc-shim-error.log le-integration-253570785/gh-aw (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Daily Firewall Logs Collector and Reporter workflow needs significant improvement:

What actually happened:

1. All data fetching attempts failed:
   - gh aw logs --firewall → extension not installed
   - Python script with GitHub API → gh CLI not authenticated
   - pip install pandas/matplotlib → pip not available
2. Agent fell back to cached historical data from history.jsonl. The last real data point was from 2025-12-05 (line 16):
   {"total_requests":8894, "allowed_requests":8894, "denied_requests":0,
   "runs_analyzed":700, "denied_domains":[]}
3. The report contains fabricated data:
   - Report claimed "10 unique domains with blocking rules" and listed pypi.org, api.github.com as blocked
   - But the historical data shows denied_requests: 0 and denied_domains: [] (empty!)
   - The agent hallucinated the blocked domains section

The problem:
The agent couldn't fetch fresh data, read month-old cached data that showed zero blocked requests, then generated a report claiming there were blocked domains with detailed recommendations about them. This is a hallucination - the agent made up the blocked domains analysis.

Root cause:
The workflow runs inside a firewall container without:

• gh aw CLI extension installed
• Authenticated gh CLI
• Python pip for data analysis

So the MCP tools (logs, audit) that the prompt instructed the agent to use were inaccessible, and the agent improvised poorly by making up data.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Changeset

• Type: patch
• Description: Rewrite MCP server localhost/127.0.0.1 URLs to host.docker.internal when firewall is enabled; add RewriteLocalhostToDocker flag and propagate sandbox configuration to MCP renderers. Rewriting is skipped when sandbox.agent.disabled: true.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

[github-actions]

🤖 DIAGNOSTIC COMPLETE: Smoke Copilot No Firewall STATUS: ALL_UNITS_OPERATIONAL. MISSION_SUCCESS.

[github-actions]

🎉 Yo ho ho! Smoke Copilot Safe Inputs found the treasure and completed successfully! ⚓💰

[github-actions]

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 VERDICT: Smoke Copilot Playwright has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✅ Firewall validation complete... Smoke Codex Firewall confirmed network sandboxing is operational. 🛡️

[github-actions]

Smoke Test Results: Copilot Safe Inputs

✅ File Writing: Test file created successfully
✅ Bash Tool: File read verification passed
❌ safeinputs-gh Tool: Not available in this workflow

Overall Status: ⚠️ PARTIAL PASS

The safeinputs-gh tool is not available in the current tool configuration. File operations and bash commands work correctly.

AI generated by Smoke Copilot Safe Inputs

[github-actions]

Smoke Test Results: Copilot Engine (No Firewall)

✅ PR Review: Last 2 merged PRs reviewed (#9286, #9280)
✅ File Creation: Test file created at /tmp/gh-aw/agent/smoke-test-copilot-20801216129.txt
✅ Playwright Navigation: Navigated to https://github.com - Page title: "GitHub · Change is constant. GitHub keeps you ahead. · GitHub"
✅ GitHub API Access: Successfully listed issues via GitHub API

All tests passed successfully.

AI generated by Smoke Copilot No Firewall

[github-actions]

🧪 Copilot Smoke Test Results

Last 2 merged PRs:

• docs: document default mounted volumes for AWF sandbox #9286: docs: document default mounted volumes for AWF sandbox
• Enable CodeQL analysis for GitHub Actions workflows #9284: Enable CodeQL analysis for GitHub Actions workflows

✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-20801216099.txt
✅ Bash Tool: Successfully executed and verified file
✅ Cache Memory: Created /tmp/gh-aw/cache-memory/smoke-test-20801216099.txt
✅ Web Fetch: Retrieved valid JSON from https://api.github.com/repos/githubnext/gh-aw
✅ Protocol Filtering: Confirmed https://api.github.com and `(redacted) in allowed domains
✅ GitHub MCP (default): Accessed issues, PRs via default toolsets
✅ get_me Tool: Correctly unavailable with default toolsets (expected behavior)

Overall: PASS ✅

cc @Mossaka @Copilot

AI generated by Smoke Copilot

[github-actions]

Smoke Test Results

❌ Playwright MCP: Not available in environment
✅ Cache Memory: File created successfully
❌ safeinputs-gh: GH_TOKEN not configured

Overall Status: ❌ FAIL

AI generated by Smoke Copilot Playwright

[github-actions]

Smoke test results:

• PRs: docs: document default mounted volumes for AWF sandbox; Enable CodeQL analysis for GitHub Actions workflows
• GitHub MCP: ✅
• File write/read (/tmp/gh-aw/agent): ✅
• Cache memory write/read: ✅
• Playwright github.com title: ✅
• safeinputs-gh gh issues list: ❌ (command not found)
  Overall: FAIL

AI generated by Smoke Codex

[github-actions]

Smoke Test Results - Claude Engine

Recent PRs:

• docs: document default mounted volumes for AWF sandbox #9286: docs: document default mounted volumes for AWF sandbox
• Fix compiler escaping of literal ${{ in YAML heredocs #9280: Fix compiler escaping of literal ${{ in YAML heredocs

Test Results:

• ✅ GitHub MCP: Retrieved 2 recent merged PRs
• ✅ File Writing: Created test file in /tmp/gh-aw/agent/
• ✅ Bash Tool: Verified file creation successful
• ✅ Playwright MCP: Navigated to github.com, title contains "GitHub"
• ✅ Cache Memory: Created and verified test file in /tmp/gh-aw/cache-memory/
• ❌ Safe Input gh Tool: gh CLI requires GH_TOKEN environment variable

Overall Status: PARTIAL PASS (5/6 tests passed)

AI generated by Smoke Claude

[github-actions]

PRs (merged): docs: document default mounted volumes for AWF sandbox; Enable CodeQL analysis for GitHub Actions workflows
✅ OpenAI curl blocked
✅ GitHub MCP OK (titles above)
✅ File write/read OK (/tmp/gh-aw/agent/smoke-test-codex-firewall-20801216127.txt)
✅ Blocked domain curl blocked
✅ AWF allow-domains includes https://api.github.com (see /home/runner/work/_temp/3e700fde-fba4-4f0a-a21b-a2645d4cf7ef.sh)
Network: SANDBOXED | Overall: PASS

AI generated by Smoke Codex Firewall