feat(docker-manager): add --diagnostic-logs flag for container failure diagnostics (#1906)

* Initial plan

* feat: implement --diagnostic-logs flag for container failure diagnostics

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/86fd7c63-7633-4d6a-981d-659d13b69098

* fix: address code review feedback on diagnostic-logs implementation

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/86fd7c63-7633-4d6a-981d-659d13b69098

* fix: use \\w* in redaction regex and clean up help text

Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/86fd7c63-7633-4d6a-981d-659d13b69098

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Landon Cox <landon.cox@microsoft.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: 3 people

src/cli-workflow.test.ts

@@ -224,4 +224,90 @@ describe('runMainWorkflow', () => {
     expect(logger.warn).toHaveBeenCalledWith('Command completed with exit code: 42');
     expect(logger.success).not.toHaveBeenCalled();
   });
+
+  it('calls collectDiagnosticLogs before cleanup on non-zero exit when diagnosticLogs is enabled', async () => {
+    const callOrder: string[] = [];
+    const configWithDiagnostics: WrapperConfig = {
+      ...baseConfig,
+      diagnosticLogs: true,
+    };
+    const dependencies: WorkflowDependencies = {
+      ensureFirewallNetwork: jest.fn().mockResolvedValue({ squidIp: '172.30.0.10' }),
+      setupHostIptables: jest.fn().mockResolvedValue(undefined),
+      writeConfigs: jest.fn().mockResolvedValue(undefined),
+      startContainers: jest.fn().mockResolvedValue(undefined),
+      runAgentCommand: jest.fn().mockImplementation(async () => {
+        callOrder.push('runAgentCommand');
+        return { exitCode: 1 };
+      }),
+      collectDiagnosticLogs: jest.fn().mockImplementation(async () => {
+        callOrder.push('collectDiagnosticLogs');
+      }),
+    };
+    const performCleanup = jest.fn().mockImplementation(async () => {
+      callOrder.push('performCleanup');
+    });
+    const logger = createLogger();
+
+    await runMainWorkflow(configWithDiagnostics, dependencies, { logger, performCleanup });
+
+    expect(callOrder).toEqual(['runAgentCommand', 'collectDiagnosticLogs', 'performCleanup']);
+    expect(dependencies.collectDiagnosticLogs).toHaveBeenCalledWith(configWithDiagnostics.workDir);
+  });
+
+  it('does not call collectDiagnosticLogs when diagnosticLogs is disabled', async () => {
+    const collectDiagnosticLogs = jest.fn().mockResolvedValue(undefined);
+    const dependencies: WorkflowDependencies = {
+      ensureFirewallNetwork: jest.fn().mockResolvedValue({ squidIp: '172.30.0.10' }),
+      setupHostIptables: jest.fn().mockResolvedValue(undefined),
+      writeConfigs: jest.fn().mockResolvedValue(undefined),
+      startContainers: jest.fn().mockResolvedValue(undefined),
+      runAgentCommand: jest.fn().mockResolvedValue({ exitCode: 1 }),
+      collectDiagnosticLogs,
+    };
+    const logger = createLogger();
+
+    await runMainWorkflow(baseConfig, dependencies, { logger, performCleanup: jest.fn() });
+
+    expect(collectDiagnosticLogs).not.toHaveBeenCalled();
+  });
+
+  it('does not call collectDiagnosticLogs on zero exit even when diagnosticLogs is enabled', async () => {
+    const collectDiagnosticLogs = jest.fn().mockResolvedValue(undefined);
+    const configWithDiagnostics: WrapperConfig = {
+      ...baseConfig,
+      diagnosticLogs: true,
+    };
+    const dependencies: WorkflowDependencies = {
+      ensureFirewallNetwork: jest.fn().mockResolvedValue({ squidIp: '172.30.0.10' }),
+      setupHostIptables: jest.fn().mockResolvedValue(undefined),
+      writeConfigs: jest.fn().mockResolvedValue(undefined),
+      startContainers: jest.fn().mockResolvedValue(undefined),
+      runAgentCommand: jest.fn().mockResolvedValue({ exitCode: 0 }),
+      collectDiagnosticLogs,
+    };
+    const logger = createLogger();
+
+    await runMainWorkflow(configWithDiagnostics, dependencies, { logger, performCleanup: jest.fn() });
+
+    expect(collectDiagnosticLogs).not.toHaveBeenCalled();
+  });
+
+  it('does not call collectDiagnosticLogs when dependency is not provided', async () => {
+    const configWithDiagnostics: WrapperConfig = {
+      ...baseConfig,
+      diagnosticLogs: true,
+    };
+    const dependencies: WorkflowDependencies = {
+      ensureFirewallNetwork: jest.fn().mockResolvedValue({ squidIp: '172.30.0.10' }),
+      setupHostIptables: jest.fn().mockResolvedValue(undefined),
+      writeConfigs: jest.fn().mockResolvedValue(undefined),
+      startContainers: jest.fn().mockResolvedValue(undefined),
+      runAgentCommand: jest.fn().mockResolvedValue({ exitCode: 1 }),
+      // collectDiagnosticLogs not provided
+    };
+    const logger = createLogger();
+
+    await expect(runMainWorkflow(configWithDiagnostics, dependencies, { logger, performCleanup: jest.fn() })).resolves.toBe(1);
+  });
 });

src/cli-workflow.ts

@@ -14,6 +14,7 @@ export interface WorkflowDependencies {
     proxyLogsDir?: string,
     agentTimeoutMinutes?: number
   ) => Promise<{ exitCode: number }>;
+  collectDiagnosticLogs?: (workDir: string) => Promise<void>;
 }
 
 export interface WorkflowCallbacks {
@@ -76,6 +77,16 @@ export async function runMainWorkflow(
   // Step 3: Wait for agent to complete
   const result = await dependencies.runAgentCommand(config.workDir, config.allowedDomains, config.proxyLogsDir, config.agentTimeout);
 
+  // Step 3.5: Collect diagnostic logs before containers are stopped
+  // Must run BEFORE performCleanup() which calls docker compose down -v.
+  if (config.diagnosticLogs && result.exitCode !== 0 && dependencies.collectDiagnosticLogs) {
+    try {
+      await dependencies.collectDiagnosticLogs(config.workDir);
+    } catch (error) {
+      logger.warn('Failed to collect diagnostic logs; continuing with cleanup.', error);
+    }
+  }
+
   // Step 4: Cleanup (logs will be preserved automatically if they exist)
   await performCleanup();
 

src/cli.ts

@@ -15,6 +15,7 @@ import {
   cleanup,
   preserveIptablesAudit,
   fastKillAgentContainer,
+  collectDiagnosticLogs,
 } from './docker-manager';
 import {
   ensureFirewallNetwork,
@@ -1484,6 +1485,13 @@ program
     '--session-state-dir <path>',
     'Directory to save Copilot CLI session state (events.jsonl, session data)'
   )
+  .option(
+    '--diagnostic-logs',
+    'Collect container logs, exit state, and sanitized config on non-zero exit.\n' +
+    '                                       Useful for debugging container startup failures (e.g. Squid crashes in DinD).\n' +
+    '                                       Written to <workDir>/diagnostics/ (or <audit-dir>/diagnostics/ when set).',
+    false
+  )
   .argument('[args...]', 'Command and arguments to execute (use -- to separate from options)')
   .action(async (args: string[], options) => {
     // Require -- separator for passing command arguments
@@ -1826,6 +1834,7 @@ program
       difcProxyHost: options.difcProxyHost,
       difcProxyCaCert: options.difcProxyCaCert,
       githubToken: process.env.GITHUB_TOKEN || process.env.GH_TOKEN,
+      diagnosticLogs: options.diagnosticLogs || false,
     };
 
     // Parse and validate --agent-timeout
@@ -2006,6 +2015,7 @@ program
           writeConfigs,
           startContainers,
           runAgentCommand,
+          collectDiagnosticLogs,
         },
         {
           logger,

src/docker-manager.test.ts

@@ -1,4 +1,4 @@
-import { generateDockerCompose, subnetsOverlap, writeConfigs, startContainers, stopContainers, fastKillAgentContainer, isAgentExternallyKilled, resetAgentExternallyKilled, AGENT_CONTAINER_NAME, cleanup, runAgentCommand, validateIdNotInSystemRange, getSafeHostUid, getSafeHostGid, getRealUserHome, extractGhHostFromServerUrl, readGitHubPathEntries, mergeGitHubPathEntries, readEnvFile, MIN_REGULAR_UID, ACT_PRESET_BASE_IMAGE, stripScheme } from './docker-manager';
+import { generateDockerCompose, subnetsOverlap, writeConfigs, startContainers, stopContainers, fastKillAgentContainer, isAgentExternallyKilled, resetAgentExternallyKilled, AGENT_CONTAINER_NAME, cleanup, runAgentCommand, validateIdNotInSystemRange, getSafeHostUid, getSafeHostGid, getRealUserHome, extractGhHostFromServerUrl, readGitHubPathEntries, mergeGitHubPathEntries, readEnvFile, MIN_REGULAR_UID, ACT_PRESET_BASE_IMAGE, stripScheme, collectDiagnosticLogs } from './docker-manager';
 import { WrapperConfig } from './types';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -4222,4 +4222,201 @@ describe('docker-manager', () => {
       expect(() => readEnvFile(path.join(tmpDir, 'missing.env'))).toThrow();
     });
   });
+
+  describe('collectDiagnosticLogs', () => {
+    let testDir: string;
+
+    beforeEach(() => {
+      testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'awf-'));
+      jest.clearAllMocks();
+    });
+
+    afterEach(() => {
+      if (fs.existsSync(testDir)) {
+        fs.rmSync(testDir, { recursive: true, force: true });
+      }
+    });
+
+    it('should create diagnostics directory and write container logs', async () => {
+      // Mock docker logs returning content
+      mockExecaFn
+        .mockResolvedValueOnce({ stdout: 'squid log output', stderr: '', exitCode: 0 })  // docker logs awf-squid
+        .mockResolvedValueOnce({ stdout: '0 ', stderr: '', exitCode: 0 })                 // docker inspect state awf-squid
+        .mockResolvedValueOnce({ stdout: '[{"Type":"bind"}]', stderr: '', exitCode: 0 })  // docker inspect mounts awf-squid
+        .mockResolvedValueOnce({ stdout: 'agent log output', stderr: '', exitCode: 0 })   // docker logs awf-agent
+        .mockResolvedValueOnce({ stdout: '1 container crashed', stderr: '', exitCode: 0 }) // docker inspect state awf-agent
+        .mockResolvedValueOnce({ stdout: '[{"Type":"volume"}]', stderr: '', exitCode: 0 }) // docker inspect mounts awf-agent
+        .mockResolvedValueOnce({ stdout: '', stderr: '', exitCode: 1 })                    // docker logs awf-api-proxy (not started)
+        .mockResolvedValueOnce({ stdout: '', stderr: '', exitCode: 1 })                    // docker inspect state awf-api-proxy
+        .mockResolvedValueOnce({ stdout: 'null', stderr: '', exitCode: 0 })                // docker inspect mounts awf-api-proxy (null)
+        .mockResolvedValueOnce({ stdout: '', stderr: '', exitCode: 0 })                    // docker logs awf-iptables-init
+        .mockResolvedValueOnce({ stdout: '0 ', stderr: '', exitCode: 0 })                 // docker inspect state awf-iptables-init
+        .mockResolvedValueOnce({ stdout: '[]', stderr: '', exitCode: 0 });                 // docker inspect mounts awf-iptables-init
+
+      // Create a docker-compose.yml with a secret env var
+      const composeContent = [
+        'services:',
+        '  squid:',
+        '    environment:',
+        '      AWF_SQUID_CONFIG_B64: secretvalue',
+        '      GITHUB_TOKEN: ghp_abc123',
+        '      SOME_KEY: mykey',
+        '      NORMAL_VAR: normalvalue',
+      ].join('\n');
+      fs.writeFileSync(path.join(testDir, 'docker-compose.yml'), composeContent);
+
+      await collectDiagnosticLogs(testDir);
+
+      const diagnosticsDir = path.join(testDir, 'diagnostics');
+      expect(fs.existsSync(diagnosticsDir)).toBe(true);
+
+      // awf-squid.log should have content
+      expect(fs.existsSync(path.join(diagnosticsDir, 'awf-squid.log'))).toBe(true);
+      expect(fs.readFileSync(path.join(diagnosticsDir, 'awf-squid.log'), 'utf8')).toContain('squid log output');
+
+      // awf-agent.log should have content
+      expect(fs.existsSync(path.join(diagnosticsDir, 'awf-agent.log'))).toBe(true);
+      expect(fs.readFileSync(path.join(diagnosticsDir, 'awf-agent.log'), 'utf8')).toContain('agent log output');
+
+      // State files should be written
+      expect(fs.existsSync(path.join(diagnosticsDir, 'awf-squid.state'))).toBe(true);
+      expect(fs.existsSync(path.join(diagnosticsDir, 'awf-agent.state'))).toBe(true);
+
+      // Mounts files for containers that returned non-null JSON
+      expect(fs.existsSync(path.join(diagnosticsDir, 'awf-squid.mounts.json'))).toBe(true);
+      expect(fs.existsSync(path.join(diagnosticsDir, 'awf-agent.mounts.json'))).toBe(true);
+      // awf-api-proxy returned 'null' so no mounts file
+      expect(fs.existsSync(path.join(diagnosticsDir, 'awf-api-proxy.mounts.json'))).toBe(false);
+
+      // Sanitized docker-compose.yml should exist with secrets redacted
+      const sanitizedCompose = fs.readFileSync(path.join(diagnosticsDir, 'docker-compose.yml'), 'utf8');
+      expect(sanitizedCompose).toContain('[REDACTED]');
+      // GITHUB_TOKEN and SOME_KEY contain TOKEN/KEY → redacted
+      expect(sanitizedCompose).not.toContain('ghp_abc123');
+      expect(sanitizedCompose).not.toContain('mykey');
+      // AWF_SQUID_CONFIG_B64 does not contain TOKEN/KEY/SECRET → preserved
+      expect(sanitizedCompose).toContain('secretvalue');
+      // Non-secret env vars should be unchanged
+      expect(sanitizedCompose).toContain('NORMAL_VAR: normalvalue');
+    });
+
+    it('should not write log file when docker logs returns empty output', async () => {
+      mockExecaFn
+        .mockResolvedValue({ stdout: '', stderr: '', exitCode: 0 }); // all containers return empty
+
+      await collectDiagnosticLogs(testDir);
+
+      const diagnosticsDir = path.join(testDir, 'diagnostics');
+      // No .log files should be written for empty output
+      const files = fs.existsSync(diagnosticsDir) ? fs.readdirSync(diagnosticsDir) : [];
+      const logFiles = files.filter(f => f.endsWith('.log'));
+      expect(logFiles).toHaveLength(0);
+    });
+
+    it('should skip docker-compose.yml sanitization when file does not exist', async () => {
+      mockExecaFn.mockResolvedValue({ stdout: '', stderr: '', exitCode: 0 });
+
+      // No docker-compose.yml created in testDir
+      await expect(collectDiagnosticLogs(testDir)).resolves.not.toThrow();
+
+      const diagnosticsDir = path.join(testDir, 'diagnostics');
+      expect(fs.existsSync(path.join(diagnosticsDir, 'docker-compose.yml'))).toBe(false);
+    });
+
+    it('should handle docker command failures gracefully', async () => {
+      // All docker commands throw errors
+      mockExecaFn.mockRejectedValue(new Error('docker not found'));
+
+      await expect(collectDiagnosticLogs(testDir)).resolves.not.toThrow();
+    });
+
+    it('should redact lowercase and mixed-case secret env var names', async () => {
+      mockExecaFn.mockResolvedValue({ stdout: '', stderr: '', exitCode: 0 });
+
+      const composeContent = [
+        'services:',
+        '  agent:',
+        '    environment:',
+        '      github_token: ghp_lowercase',
+        '      Api_Key: mixedcase_value',
+        '      OAUTH_SECRET: uppercase_secret',
+        '      not_sensitive: keepme',
+      ].join('\n');
+      fs.writeFileSync(path.join(testDir, 'docker-compose.yml'), composeContent);
+
+      await collectDiagnosticLogs(testDir);
+
+      const sanitized = fs.readFileSync(path.join(testDir, 'diagnostics', 'docker-compose.yml'), 'utf8');
+      // All three secret patterns should be redacted
+      expect(sanitized).not.toContain('ghp_lowercase');
+      expect(sanitized).not.toContain('mixedcase_value');
+      expect(sanitized).not.toContain('uppercase_secret');
+      // Non-secret var must be preserved
+      expect(sanitized).toContain('not_sensitive: keepme');
+    });
+  });
+
+  describe('cleanup - diagnostics preservation', () => {
+    let testDir: string;
+
+    beforeEach(() => {
+      testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'awf-'));
+      jest.clearAllMocks();
+      mockExecaSync.mockReturnValue({ stdout: '', stderr: '', exitCode: 0 });
+    });
+
+    afterEach(() => {
+      if (fs.existsSync(testDir)) {
+        fs.rmSync(testDir, { recursive: true, force: true });
+      }
+      const timestamp = path.basename(testDir).replace('awf-', '');
+      const diagDir = path.join(os.tmpdir(), `awf-diagnostics-${timestamp}`);
+      if (fs.existsSync(diagDir)) {
+        fs.rmSync(diagDir, { recursive: true, force: true });
+      }
+    });
+
+    it('should preserve diagnostics to /tmp when no auditDir is specified', async () => {
+      const diagnosticsDir = path.join(testDir, 'diagnostics');
+      fs.mkdirSync(diagnosticsDir, { recursive: true });
+      fs.writeFileSync(path.join(diagnosticsDir, 'awf-squid.log'), 'squid crashed\n');
+
+      await cleanup(testDir, false);
+
+      const timestamp = path.basename(testDir).replace('awf-', '');
+      const preserved = path.join(os.tmpdir(), `awf-diagnostics-${timestamp}`);
+      expect(fs.existsSync(preserved)).toBe(true);
+      expect(fs.readFileSync(path.join(preserved, 'awf-squid.log'), 'utf8')).toBe('squid crashed\n');
+    });
+
+    it('should co-locate diagnostics under auditDir/diagnostics when auditDir is specified', async () => {
+      const auditDir = fs.mkdtempSync(path.join(os.tmpdir(), 'awf-audit-test-'));
+      try {
+        const diagnosticsDir = path.join(testDir, 'diagnostics');
+        fs.mkdirSync(diagnosticsDir, { recursive: true });
+        fs.writeFileSync(path.join(diagnosticsDir, 'awf-agent.log'), 'agent output\n');
+
+        await cleanup(testDir, false, undefined, auditDir);
+
+        const auditDiagnosticsDir = path.join(auditDir, 'diagnostics');
+        expect(fs.existsSync(auditDiagnosticsDir)).toBe(true);
+        expect(fs.readFileSync(path.join(auditDiagnosticsDir, 'awf-agent.log'), 'utf8')).toBe('agent output\n');
+        expect(mockExecaSync).toHaveBeenCalledWith('chmod', ['-R', 'a+rX', auditDiagnosticsDir]);
+      } finally {
+        fs.rmSync(auditDir, { recursive: true, force: true });
+      }
+    });
+
+    it('should not create diagnostics destination when diagnostics dir is empty', async () => {
+      // Empty diagnostics dir
+      const diagnosticsDir = path.join(testDir, 'diagnostics');
+      fs.mkdirSync(diagnosticsDir, { recursive: true });
+
+      await cleanup(testDir, false);
+
+      const timestamp = path.basename(testDir).replace('awf-', '');
+      const preserved = path.join(os.tmpdir(), `awf-diagnostics-${timestamp}`);
+      expect(fs.existsSync(preserved)).toBe(false);
+    });
+  });
 });