fix: move Maven proxy config from docker-manager to workflow instruction

Instead of adding JAVA_TOOL_OPTIONS and Maven settings.xml generation
to docker-manager.ts, instruct the agent to create ~/.m2/settings.xml
with proxy settings before running Maven commands. This is simpler and
doesn't require changes to the AWF core.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Mossaka

.github/workflows/build-test-java.lock.yml

@@ -45,55 +45,42 @@ env:
 
 ## Test Requirements
 
-### 1. Verify Java Proxy Configuration
-
-Before running any tests, verify that Java proxy configuration is properly set:
-
-```bash
-# Verify JAVA_TOOL_OPTIONS is set
-echo "JAVA_TOOL_OPTIONS=$JAVA_TOOL_OPTIONS"
-
-# Extract and display proxy settings
-java -XshowSettings:properties -version 2>&1 | grep -E "http\.(proxyHost|proxyPort|nonProxyHosts)|https\.(proxyHost|proxyPort)"
-```
-
-**Expected configuration**:
-- `http.proxyHost` should be set to Squid IP (e.g., `172.30.0.10`)
-- `http.proxyPort` should be `3128`
-- `https.proxyHost` should be set to Squid IP
-- `https.proxyPort` should be `3128`
-- If host access is enabled, `http.nonProxyHosts` should include `localhost|127.0.0.1|host.docker.internal`
-
-If proxy settings are missing or incorrect, report the issue and fail the workflow.
-
-### 2. Clone Repository
-
-`gh repo clone Mossaka/gh-aw-firewall-test-java /tmp/test-java`
-- **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution
-
-### 3. Test Projects
-
-Run Maven compile and test for each project:
-- `gson`: `cd /tmp/test-java/gson && mvn compile && mvn test`
-- `caffeine`: `cd /tmp/test-java/caffeine && mvn compile && mvn test`
-
-### 4. Capture Results
-
-For each project, capture:
-- Compile success/failure
-- Test pass/fail count
-- Any error messages
+Clone and test the following projects from the test repository:
+
+1. **Clone Repository**: `gh repo clone Mossaka/gh-aw-firewall-test-java /tmp/test-java`
+   - **CRITICAL**: If clone fails, immediately call `safeoutputs-missing_tool` with message "CLONE_FAILED: Unable to clone test repository" and stop execution
+
+2. **Configure Maven Proxy**: Maven ignores Java system properties for proxy configuration, so you must create `~/.m2/settings.xml` before running any Maven commands:
+   ```bash
+   mkdir -p ~/.m2
+   cat > ~/.m2/settings.xml << SETTINGS
+   <settings>
+     <proxies>
+       <proxy>
+         <id>awf-http</id><active>true</active><protocol>http</protocol>
+         <host>${SQUID_PROXY_HOST}</host><port>${SQUID_PROXY_PORT}</port>
+       </proxy>
+       <proxy>
+         <id>awf-https</id><active>true</active><protocol>https</protocol>
+         <host>${SQUID_PROXY_HOST}</host><port>${SQUID_PROXY_PORT}</port>
+       </proxy>
+     </proxies>
+   </settings>
+   SETTINGS
+   ```
+
+3. **Test Projects**:
+   - `gson`: `cd /tmp/test-java/gson && mvn compile && mvn test`
+   - `caffeine`: `cd /tmp/test-java/caffeine && mvn compile && mvn test`
+
+4. **For each project**, capture:
+   - Compile success/failure
+   - Test pass/fail count
+   - Any error messages
 
 ## Output
 
-Add a comment to the current pull request with a summary including:
-
-1. **Java Proxy Configuration Status**:
-   - ✅ Proxy settings verified OR ❌ Proxy settings missing/incorrect
-   - Display the actual `JAVA_TOOL_OPTIONS` value
-   - List detected proxy properties (http.proxyHost, http.proxyPort, https.proxyHost, https.proxyPort, http.nonProxyHosts if present)
-
-2. **Build/Test Results Table**:
+Add a comment to the current pull request with a summary table:
 
 | Project  | Compile | Tests | Status |
 |----------|---------|-------|--------|
@@ -102,16 +89,15 @@ Add a comment to the current pull request with a summary including:
 
 **Overall: PASS/FAIL**
 
-If ALL tests pass AND proxy configuration is correct, add the label `build-test-java` to the pull request.
-If ANY test fails OR proxy configuration is incorrect, report the failure with error details.
+If ALL tests pass, add the label `build-test-java` to the pull request.
+If ANY test fails, report the failure with error details.
 
 ## Error Handling
 
 **CRITICAL**: This workflow MUST fail visibly when errors occur:
 
-1. **Proxy configuration failure**: If Java proxy settings are missing or incorrect, report in comment with actual vs expected values
-2. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]"
-3. **Build failure**: Report in comment table with ❌ and include error output
-4. **Test failure**: Report in comment table with FAIL status and include failure details
+1. **Clone failure**: If repository clone fails, call `safeoutputs-missing_tool` with "CLONE_FAILED: [error message]"
+2. **Build failure**: Report in comment table with ❌ and include error output
+3. **Test failure**: Report in comment table with FAIL status and include failure details
 
 DO NOT report success if any step fails. The workflow should produce a clear, actionable error message.

.github/workflows/build-test-java.md

@@ -1,4 +1,4 @@
-import { generateDockerCompose, generateMavenSettings, subnetsOverlap, writeConfigs, startContainers, stopContainers, cleanup, runAgentCommand, validateIdNotInSystemRange, getSafeHostUid, getSafeHostGid, getRealUserHome, MIN_REGULAR_UID, ACT_PRESET_BASE_IMAGE } from './docker-manager';
+import { generateDockerCompose, subnetsOverlap, writeConfigs, startContainers, stopContainers, cleanup, runAgentCommand, validateIdNotInSystemRange, getSafeHostUid, getSafeHostGid, getRealUserHome, MIN_REGULAR_UID, ACT_PRESET_BASE_IMAGE } from './docker-manager';
 import { WrapperConfig } from './types';
 import * as fs from 'fs';
 import * as path from 'path';
@@ -485,65 +485,6 @@ describe('docker-manager', () => {
       expect(env.SQUID_PROXY_PORT).toBe('3128');
     });
 
-    it('should configure JAVA_TOOL_OPTIONS with proxy settings for Java applications', () => {
-      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
-      const agent = result.services.agent;
-      const env = agent.environment as Record<string, string>;
-
-      expect(env.JAVA_TOOL_OPTIONS).toBeDefined();
-      expect(env.JAVA_TOOL_OPTIONS).toContain('-Dhttp.proxyHost=172.30.0.10');
-      expect(env.JAVA_TOOL_OPTIONS).toContain('-Dhttp.proxyPort=3128');
-      expect(env.JAVA_TOOL_OPTIONS).toContain('-Dhttps.proxyHost=172.30.0.10');
-      expect(env.JAVA_TOOL_OPTIONS).toContain('-Dhttps.proxyPort=3128');
-    });
-
-    it('should add http.nonProxyHosts to JAVA_TOOL_OPTIONS when host access is enabled', () => {
-      const configWithHostAccess = { ...mockConfig, enableHostAccess: true };
-      const result = generateDockerCompose(configWithHostAccess, mockNetworkConfig);
-      const agent = result.services.agent;
-      const env = agent.environment as Record<string, string>;
-
-      expect(env.JAVA_TOOL_OPTIONS).toContain('-Dhttp.nonProxyHosts=');
-      expect(env.JAVA_TOOL_OPTIONS).toContain('localhost');
-      expect(env.JAVA_TOOL_OPTIONS).toContain('127.0.0.1');
-      expect(env.JAVA_TOOL_OPTIONS).toContain('host.docker.internal');
-    });
-
-    it('should not include quotes in JAVA_TOOL_OPTIONS nonProxyHosts value', () => {
-      const configWithHostAccess = { ...mockConfig, enableHostAccess: true };
-      const result = generateDockerCompose(configWithHostAccess, mockNetworkConfig);
-      const agent = result.services.agent;
-      const env = agent.environment as Record<string, string>;
-
-      // Verify no embedded quotes in nonProxyHosts value
-      // JAVA_TOOL_OPTIONS parsing treats quotes as literal characters, not grouping
-      expect(env.JAVA_TOOL_OPTIONS).not.toContain('"localhost');
-      expect(env.JAVA_TOOL_OPTIONS).not.toContain('internal"');
-      expect(env.JAVA_TOOL_OPTIONS).toContain('-Dhttp.nonProxyHosts=localhost|');
-    });
-
-    it('should mount Maven settings.xml for proxy configuration', () => {
-      const result = generateDockerCompose(mockConfig, mockNetworkConfig);
-      const agent = result.services.agent;
-      const volumes = agent.volumes as string[];
-
-      const mavenMount = volumes.find((v: string) => v.includes('maven-settings.xml'));
-      expect(mavenMount).toBeDefined();
-      expect(mavenMount).toContain('.m2/settings.xml:ro');
-    });
-
-    it('should mount Maven settings.xml under /host in chroot mode', () => {
-      const chrootConfig = { ...mockConfig, enableChroot: true };
-      const result = generateDockerCompose(chrootConfig, mockNetworkConfig);
-      const agent = result.services.agent;
-      const volumes = agent.volumes as string[];
-
-      const mavenMount = volumes.find((v: string) => v.includes('maven-settings.xml'));
-      expect(mavenMount).toBeDefined();
-      expect(mavenMount).toContain('/host');
-      expect(mavenMount).toContain('.m2/settings.xml:ro');
-    });
-
     it('should mount required volumes in agent container (default behavior)', () => {
       const result = generateDockerCompose(mockConfig, mockNetworkConfig);
       const agent = result.services.agent;
@@ -1871,32 +1812,4 @@ describe('docker-manager', () => {
       await expect(cleanup(nonExistentDir, false)).resolves.not.toThrow();
     });
   });
-
-  describe('generateMavenSettings', () => {
-    it('should generate valid Maven settings.xml with proxy configuration', () => {
-      const result = generateMavenSettings('172.30.0.10', 3128);
-
-      expect(result).toContain('<settings');
-      expect(result).toContain('<proxies>');
-      expect(result).toContain('<protocol>http</protocol>');
-      expect(result).toContain('<protocol>https</protocol>');
-      expect(result).toContain('<host>172.30.0.10</host>');
-      expect(result).toContain('<port>3128</port>');
-      // Should not include nonProxyHosts when not provided
-      expect(result).not.toContain('<nonProxyHosts>');
-    });
-
-    it('should include nonProxyHosts when provided', () => {
-      const result = generateMavenSettings('172.30.0.10', 3128, 'localhost|127.0.0.1|host.docker.internal');
-
-      expect(result).toContain('<nonProxyHosts>localhost|127.0.0.1|host.docker.internal</nonProxyHosts>');
-    });
-
-    it('should have both HTTP and HTTPS proxy entries', () => {
-      const result = generateMavenSettings('172.30.0.10', 3128);
-
-      expect(result).toContain('<id>awf-http</id>');
-      expect(result).toContain('<id>awf-https</id>');
-    });
-  });
 });