fix: add Maven settings.xml proxy and fix nonProxyHosts

Maven's HTTP transport does not read Java system properties for proxy
configuration, causing "Unsupported or unrecognized SSL message" errors
when Maven tries to download dependencies through AWF's Squid proxy.

- Generate Maven settings.xml with HTTP/HTTPS proxy config and mount
  it at ~/.m2/settings.xml in the agent container (both chroot and
  non-chroot modes)
- Remove embedded double quotes from JAVA_TOOL_OPTIONS nonProxyHosts
  value (JVM treats them as literal characters, breaking host matching)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Mossaka

src/docker-manager.test.ts

@@ -1,4 +1,4 @@
-import { generateDockerCompose, subnetsOverlap, writeConfigs, startContainers, stopContainers, cleanup, runAgentCommand, validateIdNotInSystemRange, getSafeHostUid, getSafeHostGid, getRealUserHome, MIN_REGULAR_UID, ACT_PRESET_BASE_IMAGE } from './docker-manager';
+import { generateDockerCompose, generateMavenSettings, subnetsOverlap, writeConfigs, startContainers, stopContainers, cleanup, runAgentCommand, validateIdNotInSystemRange, getSafeHostUid, getSafeHostGid, getRealUserHome, MIN_REGULAR_UID, ACT_PRESET_BASE_IMAGE } from './docker-manager';
 import { WrapperConfig } from './types';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -509,6 +509,41 @@ describe('docker-manager', () => {
       expect(env.JAVA_TOOL_OPTIONS).toContain('host.docker.internal');
     });
 
+    it('should not include quotes in JAVA_TOOL_OPTIONS nonProxyHosts value', () => {
+      const configWithHostAccess = { ...mockConfig, enableHostAccess: true };
+      const result = generateDockerCompose(configWithHostAccess, mockNetworkConfig);
+      const agent = result.services.agent;
+      const env = agent.environment as Record<string, string>;
+
+      // Verify no embedded quotes in nonProxyHosts value
+      // JAVA_TOOL_OPTIONS parsing treats quotes as literal characters, not grouping
+      expect(env.JAVA_TOOL_OPTIONS).not.toContain('"localhost');
+      expect(env.JAVA_TOOL_OPTIONS).not.toContain('internal"');
+      expect(env.JAVA_TOOL_OPTIONS).toContain('-Dhttp.nonProxyHosts=localhost|');
+    });
+
+    it('should mount Maven settings.xml for proxy configuration', () => {
+      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
+      const agent = result.services.agent;
+      const volumes = agent.volumes as string[];
+
+      const mavenMount = volumes.find((v: string) => v.includes('maven-settings.xml'));
+      expect(mavenMount).toBeDefined();
+      expect(mavenMount).toContain('.m2/settings.xml:ro');
+    });
+
+    it('should mount Maven settings.xml under /host in chroot mode', () => {
+      const chrootConfig = { ...mockConfig, enableChroot: true };
+      const result = generateDockerCompose(chrootConfig, mockNetworkConfig);
+      const agent = result.services.agent;
+      const volumes = agent.volumes as string[];
+
+      const mavenMount = volumes.find((v: string) => v.includes('maven-settings.xml'));
+      expect(mavenMount).toBeDefined();
+      expect(mavenMount).toContain('/host');
+      expect(mavenMount).toContain('.m2/settings.xml:ro');
+    });
+
     it('should mount required volumes in agent container (default behavior)', () => {
       const result = generateDockerCompose(mockConfig, mockNetworkConfig);
       const agent = result.services.agent;
@@ -1836,4 +1871,32 @@ describe('docker-manager', () => {
       await expect(cleanup(nonExistentDir, false)).resolves.not.toThrow();
     });
   });
+
+  describe('generateMavenSettings', () => {
+    it('should generate valid Maven settings.xml with proxy configuration', () => {
+      const result = generateMavenSettings('172.30.0.10', 3128);
+
+      expect(result).toContain('<settings');
+      expect(result).toContain('<proxies>');
+      expect(result).toContain('<protocol>http</protocol>');
+      expect(result).toContain('<protocol>https</protocol>');
+      expect(result).toContain('<host>172.30.0.10</host>');
+      expect(result).toContain('<port>3128</port>');
+      // Should not include nonProxyHosts when not provided
+      expect(result).not.toContain('<nonProxyHosts>');
+    });
+
+    it('should include nonProxyHosts when provided', () => {
+      const result = generateMavenSettings('172.30.0.10', 3128, 'localhost|127.0.0.1|host.docker.internal');
+
+      expect(result).toContain('<nonProxyHosts>localhost|127.0.0.1|host.docker.internal</nonProxyHosts>');
+    });
+
+    it('should have both HTTP and HTTPS proxy entries', () => {
+      const result = generateMavenSettings('172.30.0.10', 3128);
+
+      expect(result).toContain('<id>awf-http</id>');
+      expect(result).toContain('<id>awf-https</id>');
+    });
+  });
 });

src/docker-manager.ts

@@ -10,6 +10,40 @@ import { generateSessionCa, initSslDb, CaFiles, parseUrlPatterns } from './ssl-b
 
 const SQUID_PORT = 3128;
 
+/**
+ * Generates a Maven settings.xml with proxy configuration.
+ * Maven's HTTP transport does not read Java system properties (JAVA_TOOL_OPTIONS) for proxy,
+ * so we must provide proxy config via settings.xml for Maven/Gradle builds to work.
+ */
+export function generateMavenSettings(proxyHost: string, proxyPort: number, nonProxyHosts?: string): string {
+  const nonProxyHostsXml = nonProxyHosts
+    ? `\n        <nonProxyHosts>${nonProxyHosts}</nonProxyHosts>`
+    : '';
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<settings xmlns="http://maven.apache.org/SETTINGS/1.2.0"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.2.0 https://maven.apache.org/xsd/settings-1.2.0.xsd">
+  <!-- Auto-generated by AWF for Squid proxy integration -->
+  <proxies>
+    <proxy>
+      <id>awf-http</id>
+      <active>true</active>
+      <protocol>http</protocol>
+      <host>${proxyHost}</host>
+      <port>${proxyPort}</port>${nonProxyHostsXml}
+    </proxy>
+    <proxy>
+      <id>awf-https</id>
+      <active>true</active>
+      <protocol>https</protocol>
+      <host>${proxyHost}</host>
+      <port>${proxyPort}</port>${nonProxyHostsXml}
+    </proxy>
+  </proxies>
+</settings>
+`;
+}
+
 /**
  * Base image for the 'act' preset when building locally.
  * Uses catthehacker's GitHub Actions parity image.
@@ -352,7 +386,8 @@ export function generateDockerCompose(
     // for localhost connections that may use the IP address directly
     const javaNoProxy = `localhost|127.0.0.1|host.docker.internal`;
     // Append Java-specific NO_PROXY settings to JAVA_TOOL_OPTIONS (which is guaranteed to exist)
-    environment.JAVA_TOOL_OPTIONS = `${environment.JAVA_TOOL_OPTIONS} -Dhttp.nonProxyHosts="${javaNoProxy}"`;
+    // Note: no quotes around the value — JAVA_TOOL_OPTIONS parsing treats embedded quotes as literals
+    environment.JAVA_TOOL_OPTIONS = `${environment.JAVA_TOOL_OPTIONS} -Dhttp.nonProxyHosts=${javaNoProxy}`;
   }
 
   // For chroot mode, pass the host's actual PATH and tool directories so the entrypoint can use them
@@ -554,6 +589,14 @@ export function generateDockerCompose(
     environment.AWF_SSL_BUMP_ENABLED = 'true';
   }
 
+  // Mount Maven settings.xml with proxy configuration
+  // Maven's HTTP transport ignores Java system properties for proxy, requiring settings.xml
+  if (config.enableChroot) {
+    agentVolumes.push(`${config.workDir}/maven-settings.xml:/host${effectiveHome}/.m2/settings.xml:ro`);
+  } else {
+    agentVolumes.push(`${config.workDir}/maven-settings.xml:${effectiveHome}/.m2/settings.xml:ro`);
+  }
+
   // Add custom volume mounts if specified
   if (config.volumeMounts && config.volumeMounts.length > 0) {
     logger.debug(`Adding ${config.volumeMounts.length} custom volume mount(s)`);
@@ -794,6 +837,15 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
   fs.writeFileSync(squidConfigPath, squidConfig);
   logger.debug(`Squid config written to: ${squidConfigPath}`);
 
+  // Write Maven settings.xml with proxy configuration
+  // Maven's HTTP transport ignores JAVA_TOOL_OPTIONS/-D proxy properties,
+  // requiring explicit proxy config in settings.xml
+  const nonProxyHosts = config.enableHostAccess ? 'localhost|127.0.0.1|host.docker.internal' : undefined;
+  const mavenSettings = generateMavenSettings(networkConfig.squidIp, SQUID_PORT, nonProxyHosts);
+  const mavenSettingsPath = path.join(config.workDir, 'maven-settings.xml');
+  fs.writeFileSync(mavenSettingsPath, mavenSettings);
+  logger.debug(`Maven settings.xml written to: ${mavenSettingsPath}`);
+
   // Write Docker Compose config
   const dockerCompose = generateDockerCompose(config, networkConfig, sslConfig);
   const dockerComposePath = path.join(config.workDir, 'docker-compose.yml');