fix: keep ~/.copilot host mount with session-state/logs overlays

lpcox · Copilot · lpcox · commit 7d7284630fbf · 2026-04-01T20:13:35.000-07:00
Removing the blanket ~/.copilot mount broke MCP config access and package
extraction. Copilot CLI needs:
- ~/.copilot/mcp-config.json (MCP server config, written by gh-aw framework)
- ~/.copilot/pkg/ (package extraction during startup)

Restore the host ~/.copilot bind mount and overlay session-state and logs
from the AWF workDir on top. Docker processes mounts in order, so the
later session-state and logs mounts shadow the corresponding paths under
the parent ~/.copilot mount.

Result:
- MCP config and packages accessible from host (as before)
- session-state → AWF workDir (events.jsonl captured)
- logs → AWF workDir (agent logs captured)

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts
@@ -784,9 +784,8 @@ describe('docker-manager', () => {
       // CLI state directories
       expect(volumes).toContain(`${homeDir}/.claude:/host${homeDir}/.claude:rw`);
       expect(volumes).toContain(`${homeDir}/.anthropic:/host${homeDir}/.anthropic:rw`);
-      // ~/.copilot is NOT blanket-mounted (security: may contain config/auth state)
-      // Instead, session-state and logs are mounted from AWF workDir at chroot paths
-      expect(volumes).not.toContain(`${homeDir}/.copilot:/host${homeDir}/.copilot:rw`);
+      // ~/.copilot is mounted from host, with session-state and logs overlaid from AWF workDir
+      expect(volumes).toContain(`${homeDir}/.copilot:/host${homeDir}/.copilot:rw`);
       expect(volumes).toContain(`/tmp/awf-test/agent-session-state:/host${homeDir}/.copilot/session-state:rw`);
       expect(volumes).toContain(`/tmp/awf-test/agent-logs:/host${homeDir}/.copilot/logs:rw`);
     });
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
@@ -839,12 +839,15 @@ export function generateDockerCompose(
     // - One-shot token LD_PRELOAD library: /host/tmp/awf-lib/one-shot-token.so
     agentVolumes.push('/tmp:/host/tmp:rw');
 
-    // Mount session-state and logs at chroot paths so events.jsonl and logs are
-    // captured (not written to the host's ~/.copilot via a blanket bind mount).
-    // We intentionally do NOT mount the entire ~/.copilot directory, because it may
-    // contain configuration or cached auth state that should not be exposed to the
-    // sandboxed agent. The empty home volume (above) provides a writable ~/.copilot
-    // for Copilot CLI to create any other files it needs.
+    // Mount ~/.copilot for Copilot CLI (package extraction, MCP config, etc.)
+    // This is safe as ~/.copilot contains only Copilot CLI state, not credentials.
+    // Auth tokens are in COPILOT_GITHUB_TOKEN env var (handled by API proxy sidecar).
+    agentVolumes.push(`${effectiveHome}/.copilot:/host${effectiveHome}/.copilot:rw`);
+
+    // Overlay session-state and logs from AWF workDir so events.jsonl and logs are
+    // captured in the workDir instead of written to the host's ~/.copilot.
+    // Docker processes mounts in order — these shadow the corresponding paths under
+    // the blanket ~/.copilot mount above.
     agentVolumes.push(`${sessionStatePath}:/host${effectiveHome}/.copilot/session-state:rw`);
     agentVolumes.push(`${agentLogsPath}:/host${effectiveHome}/.copilot/logs:rw`);
 
@@ -1029,7 +1032,7 @@ export function generateDockerCompose(
   //
   // Instead of mounting the entire $HOME directory (which contained credentials), we now:
   // 1. Mount ONLY the workspace directory ($GITHUB_WORKSPACE or cwd)
-  // 2. Mount ~/.copilot/logs and ~/.copilot/session-state from AWF workDir (not host)
+  // 2. Mount ~/.copilot with session-state and logs overlaid from AWF workDir
   // 3. Hide credential files by mounting /dev/null over them (defense-in-depth)
   // 4. Allow users to add specific mounts via --mount flag
   //
@@ -1682,20 +1685,6 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
     fs.chownSync(emptyHomeDir, uid, gid);
     logger.debug(`Created chroot home directory: ${emptyHomeDir} (${uid}:${gid})`);
 
-    // Pre-create subdirectories inside the empty home volume so they exist with
-    // correct ownership after chroot. Without this, Docker auto-creates them as
-    // root-owned when mounting child volumes (e.g., .copilot/session-state),
-    // preventing user-level writes to sibling paths (e.g., .copilot/pkg).
-    const emptyHomeDirs = ['.copilot'];
-    for (const dir of emptyHomeDirs) {
-      const dirPath = path.join(emptyHomeDir, dir);
-      if (!fs.existsSync(dirPath)) {
-        fs.mkdirSync(dirPath, { recursive: true });
-        fs.chownSync(dirPath, uid, gid);
-        logger.debug(`Created chroot home subdirectory: ${dirPath} (${uid}:${gid})`);
-      }
-    }
-
     // Ensure source directories for subdirectory mounts exist with correct ownership
     const chrootHomeDirs = [
       '.copilot', '.cache', '.config', '.local',
