fix: remove CA cert poll loop, update stale flag comments

The CA cert is now a bind mount (not generated at runtime by mcpg),
so it's immediately available at container start. Replace the 30s
polling loop with a single existence check for faster startup.

Also update stale comments referencing --enable-cli-proxy to
--difc-proxy-host in setup-iptables.sh and gh-cli-proxy-wrapper.sh.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lpcox

containers/agent/gh-cli-proxy-wrapper.sh

@@ -2,7 +2,7 @@
 # /usr/local/bin/gh-cli-proxy-wrapper
 # Forwards gh CLI invocations to the CLI proxy sidecar over HTTP.
 # This wrapper is installed at /usr/local/bin/gh in the agent container
-# when --enable-cli-proxy is active, so it takes precedence over any
+# when --difc-proxy-host is active, so it takes precedence over any
 # host-mounted gh binary at /host/usr/bin/gh.
 #
 # Dependencies: curl, jq (both available in the agent container)

containers/agent/setup-iptables.sh

@@ -174,7 +174,7 @@ if [ -n "$AWF_API_PROXY_IP" ]; then
 fi
 
 # Allow traffic to CLI proxy sidecar (when enabled)
-# AWF_CLI_PROXY_IP is set by docker-manager.ts when --enable-cli-proxy is used
+# AWF_CLI_PROXY_IP is set by docker-manager.ts when --difc-proxy-host is used
 if [ -n "$AWF_CLI_PROXY_IP" ]; then
   echo "[iptables] Allow traffic to CLI proxy sidecar (${AWF_CLI_PROXY_IP})..."
   iptables -t nat -A OUTPUT -d "$AWF_CLI_PROXY_IP" -j RETURN

containers/cli-proxy/entrypoint.sh

@@ -24,23 +24,16 @@ echo "[cli-proxy] Starting TCP tunnel: localhost:${DIFC_PORT} → ${DIFC_HOST}:$
 node /app/tcp-tunnel.js "${DIFC_PORT}" "${DIFC_HOST}" "${DIFC_PORT}" &
 TUNNEL_PID=$!
 
-# Wait for CA cert to appear (mounted from host by docker-manager.ts)
-echo "[cli-proxy] Waiting for DIFC proxy TLS certificate..."
-i=0
-while [ $i -lt 30 ]; do
-  if [ -f /tmp/proxy-tls/ca.crt ]; then
-    echo "[cli-proxy] TLS certificate available"
-    break
-  fi
-  sleep 1
-  i=$((i + 1))
-done
-
+# Verify CA cert is available (bind-mounted from host by docker-manager.ts).
+# Unlike the old architecture where mcpg generated the cert at runtime, the
+# external DIFC proxy has already created the cert before AWF starts, so the
+# bind mount makes it immediately available — no polling needed.
 if [ ! -f /tmp/proxy-tls/ca.crt ]; then
-  echo "[cli-proxy] ERROR: DIFC proxy TLS certificate not found within 30s"
-  echo "[cli-proxy] Ensure --difc-proxy-ca-cert points to a valid CA cert file"
+  echo "[cli-proxy] ERROR: DIFC proxy TLS certificate not found at /tmp/proxy-tls/ca.crt"
+  echo "[cli-proxy] Ensure --difc-proxy-ca-cert points to a valid CA cert file on the host"
   exit 1
 fi
+echo "[cli-proxy] TLS certificate available"
 
 # Configure gh CLI to route through the DIFC proxy via the TCP tunnel
 # Uses localhost because the tunnel makes the DIFC proxy appear on localhost,