test: add CI workflow for non-chroot integration tests (#1048)

* feat(api-proxy): add structured logging, metrics, and request tracing

- logging.js: structured JSON logging with request IDs (crypto.randomUUID),
  sanitizeForLog utility, zero external dependencies
- metrics.js: in-memory counters (requests_total, bytes), histograms
  (request_duration_ms with fixed buckets and percentile calculation),
  gauges (active_requests, uptime), memory-bounded
- server.js: replace all console.log/error with structured logger,
  instrument proxyRequest() with full metrics, add X-Request-ID header
  propagation, enhance /health with metrics_summary, add GET /metrics
  endpoint on port 10000

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* feat(api-proxy): add sliding window rate limiter with CLI integration

Implement per-provider rate limiting for the API proxy sidecar:

- rate-limiter.js: Sliding window counter algorithm with 1-second
  granularity for RPM/bytes and 1-minute granularity for RPH.
  Per-provider independence, memory-bounded, fail-open on errors.

- server.js: Rate limit check before each proxyRequest() call.
  Returns 429 with Retry-After, X-RateLimit-* headers and JSON body.
  Rate limit status added to /health endpoint.

- CLI flags: --rate-limit-rpm, --rate-limit-rph, --rate-limit-bytes-pm,
  --no-rate-limit (all require --enable-api-proxy)

- TypeScript: RateLimitConfig interface in types.ts, env var passthrough
  in docker-manager.ts, validation in cli.ts

- Test runner: AwfOptions extended with rate limit fields

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* ci: add API proxy unit tests to build workflow

Add Jest devDependency and test script to api-proxy package.json,
and add a CI step in build.yml to run container-level unit tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test: add integration tests for api-proxy observability

Add two integration test files that verify the observability and rate
limiting features work end-to-end with actual Docker containers.

api-proxy-observability.test.ts:
- /metrics endpoint returns valid JSON with counters, histograms, gauges
- /health endpoint includes metrics_summary
- X-Request-ID header in proxy responses
- Metrics increment after API requests
- rate_limits appear in /health

api-proxy-rate-limit.test.ts:
- 429 response when RPM limit exceeded
- Retry-After header in 429 response
- X-RateLimit-* headers in 429 response
- --no-rate-limit flag disables limiting
- Custom RPM reflected in /health
- Rate limit metrics in /metrics after rejection

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* test: extract buildRateLimitConfig and add coverage tests

Refactor rate limit validation into a standalone exported function
that can be tested independently. Adds 12 unit tests covering
defaults, --no-rate-limit, custom values, and validation errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: add CI workflow for non-chroot integration tests

Add test-integration-suite.yml that runs all 23 non-chroot integration
tests in 4 parallel jobs grouped by category:

- Domain & Network (7 tests): blocked-domains, dns-servers, empty-domains,
  wildcard-patterns, ipv6, localhost-access, network-security
- Protocol & Security (5 tests): protocol-support, credential-hiding,
  one-shot-tokens, token-unset, git-operations
- Container & Ops (8 tests): container-workdir, docker-warning,
  environment-variables, error-handling, exit-code-propagation,
  log-commands, no-docker, volume-mounts
- API Proxy (3 tests): api-proxy, api-proxy-observability,
  api-proxy-rate-limit

These tests had no CI pipeline before — only chroot tests ran in CI
via test-chroot.yml.

Closes #1040

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: add missing closing braces in awf-runner.ts merge resolution

The merge conflict resolution dropped closing braces for the
noRateLimit if-blocks in both run() and runWithSudo() methods,
causing TypeScript compilation errors in CI.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: remove duplicate properties in awf-runner.ts from merge

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: Mossaka

.github/workflows/test-integration-suite.yml

@@ -0,0 +1,240 @@
+name: Integration Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test-domain-network:
+    name: Domain & Network Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build project
+        run: npm run build
+
+      - name: Build local containers
+        run: |
+          echo "=== Building local containers ==="
+          docker build -t ghcr.io/github/gh-aw-firewall/squid:latest containers/squid/
+          docker build -t ghcr.io/github/gh-aw-firewall/agent:latest containers/agent/
+
+      - name: Pre-test cleanup
+        run: |
+          echo "=== Pre-test cleanup ==="
+          ./scripts/ci/cleanup.sh || true
+
+      - name: Run domain & network tests
+        run: |
+          echo "=== Running domain & network tests ==="
+          npm run test:integration -- \
+            --testPathPatterns="(blocked-domains|dns-servers|empty-domains|wildcard-patterns|ipv6|localhost-access|network-security)" \
+            --verbose
+        env:
+          JEST_TIMEOUT: 180000
+
+      - name: Post-test cleanup
+        if: always()
+        run: |
+          echo "=== Post-test cleanup ==="
+          ./scripts/ci/cleanup.sh || true
+
+      - name: Collect logs on failure
+        if: failure()
+        run: |
+          echo "=== Collecting failure logs ==="
+          docker ps -a || true
+          docker logs awf-squid 2>&1 || true
+          docker logs awf-agent 2>&1 || true
+          ls -la /tmp/awf-* 2>/dev/null || true
+          sudo cat /tmp/awf-*/squid-logs/access.log 2>/dev/null || true
+
+  test-protocol-security:
+    name: Protocol & Security Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build project
+        run: npm run build
+
+      - name: Build local containers
+        run: |
+          echo "=== Building local containers ==="
+          docker build -t ghcr.io/github/gh-aw-firewall/squid:latest containers/squid/
+          docker build -t ghcr.io/github/gh-aw-firewall/agent:latest containers/agent/
+
+      - name: Pre-test cleanup
+        run: |
+          echo "=== Pre-test cleanup ==="
+          ./scripts/ci/cleanup.sh || true
+
+      - name: Run protocol & security tests
+        run: |
+          echo "=== Running protocol & security tests ==="
+          npm run test:integration -- \
+            --testPathPatterns="(protocol-support|credential-hiding|one-shot-tokens|token-unset|git-operations)" \
+            --verbose
+        env:
+          JEST_TIMEOUT: 180000
+
+      - name: Post-test cleanup
+        if: always()
+        run: |
+          echo "=== Post-test cleanup ==="
+          ./scripts/ci/cleanup.sh || true
+
+      - name: Collect logs on failure
+        if: failure()
+        run: |
+          echo "=== Collecting failure logs ==="
+          docker ps -a || true
+          docker logs awf-squid 2>&1 || true
+          docker logs awf-agent 2>&1 || true
+          ls -la /tmp/awf-* 2>/dev/null || true
+          sudo cat /tmp/awf-*/squid-logs/access.log 2>/dev/null || true
+
+  test-container-ops:
+    name: Container & Ops Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build project
+        run: npm run build
+
+      - name: Build local containers
+        run: |
+          echo "=== Building local containers ==="
+          docker build -t ghcr.io/github/gh-aw-firewall/squid:latest containers/squid/
+          docker build -t ghcr.io/github/gh-aw-firewall/agent:latest containers/agent/
+
+      - name: Pre-test cleanup
+        run: |
+          echo "=== Pre-test cleanup ==="
+          ./scripts/ci/cleanup.sh || true
+
+      - name: Run container & ops tests
+        run: |
+          echo "=== Running container & ops tests ==="
+          npm run test:integration -- \
+            --testPathPatterns="(container-workdir|docker-warning|environment-variables|error-handling|exit-code-propagation|log-commands|no-docker|volume-mounts)" \
+            --verbose
+        env:
+          JEST_TIMEOUT: 180000
+
+      - name: Post-test cleanup
+        if: always()
+        run: |
+          echo "=== Post-test cleanup ==="
+          ./scripts/ci/cleanup.sh || true
+
+      - name: Collect logs on failure
+        if: failure()
+        run: |
+          echo "=== Collecting failure logs ==="
+          docker ps -a || true
+          docker logs awf-squid 2>&1 || true
+          docker logs awf-agent 2>&1 || true
+          ls -la /tmp/awf-* 2>/dev/null || true
+          sudo cat /tmp/awf-*/squid-logs/access.log 2>/dev/null || true
+
+  test-api-proxy:
+    name: API Proxy Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build project
+        run: npm run build
+
+      - name: Build local containers
+        run: |
+          echo "=== Building local containers ==="
+          docker build -t ghcr.io/github/gh-aw-firewall/squid:latest containers/squid/
+          docker build -t ghcr.io/github/gh-aw-firewall/agent:latest containers/agent/
+
+      - name: Pre-test cleanup
+        run: |
+          echo "=== Pre-test cleanup ==="
+          ./scripts/ci/cleanup.sh || true
+
+      - name: Run API proxy tests
+        run: |
+          echo "=== Running API proxy tests ==="
+          npm run test:integration -- \
+            --testPathPatterns="api-proxy" \
+            --verbose
+        env:
+          JEST_TIMEOUT: 180000
+
+      - name: Post-test cleanup
+        if: always()
+        run: |
+          echo "=== Post-test cleanup ==="
+          ./scripts/ci/cleanup.sh || true
+
+      - name: Collect logs on failure
+        if: failure()
+        run: |
+          echo "=== Collecting failure logs ==="
+          docker ps -a || true
+          docker logs awf-squid 2>&1 || true
+          docker logs awf-agent 2>&1 || true
+          ls -la /tmp/awf-* 2>/dev/null || true
+          sudo cat /tmp/awf-*/squid-logs/access.log 2>/dev/null || true

tests/fixtures/awf-runner.ts

@@ -19,12 +19,12 @@ export interface AwfOptions {
   dnsServers?: string[]; // DNS servers to use (e.g., ['8.8.8.8', '2001:4860:4860::8888'])
   allowHostPorts?: string; // Ports or port ranges to allow for host access (e.g., '3000' or '3000-8000')
   enableApiProxy?: boolean; // Enable API proxy sidecar for LLM credential management
-  envAll?: boolean; // Pass all host environment variables to container (--env-all)
-  cliEnv?: Record<string, string>; // Explicit -e KEY=VALUE flags passed to AWF CLI
   rateLimitRpm?: number; // Requests per minute per provider
   rateLimitRph?: number; // Requests per hour per provider
   rateLimitBytesPm?: number; // Request bytes per minute per provider
   noRateLimit?: boolean; // Disable rate limiting
+  envAll?: boolean; // Pass all host environment variables to container (--env-all)
+  cliEnv?: Record<string, string>; // Explicit -e KEY=VALUE flags passed to AWF CLI
 }
 
 export interface AwfResult {
@@ -116,6 +116,20 @@ export class AwfRunner {
       args.push('--enable-api-proxy');
     }
 
+    // Add rate limit flags
+    if (options.rateLimitRpm !== undefined) {
+      args.push('--rate-limit-rpm', String(options.rateLimitRpm));
+    }
+    if (options.rateLimitRph !== undefined) {
+      args.push('--rate-limit-rph', String(options.rateLimitRph));
+    }
+    if (options.rateLimitBytesPm !== undefined) {
+      args.push('--rate-limit-bytes-pm', String(options.rateLimitBytesPm));
+    }
+    if (options.noRateLimit) {
+      args.push('--no-rate-limit');
+    }
+
     // Add --env-all flag
     if (options.envAll) {
       args.push('--env-all');
@@ -296,6 +310,20 @@ export class AwfRunner {
       args.push('--enable-api-proxy');
     }
 
+    // Add rate limit flags
+    if (options.rateLimitRpm !== undefined) {
+      args.push('--rate-limit-rpm', String(options.rateLimitRpm));
+    }
+    if (options.rateLimitRph !== undefined) {
+      args.push('--rate-limit-rph', String(options.rateLimitRph));
+    }
+    if (options.rateLimitBytesPm !== undefined) {
+      args.push('--rate-limit-bytes-pm', String(options.rateLimitBytesPm));
+    }
+    if (options.noRateLimit) {
+      args.push('--no-rate-limit');
+    }
+
     // Add --env-all flag
     if (options.envAll) {
       args.push('--env-all');