feat: add SSL Bump support for HTTPS content inspection

[Copilot]

• Add SSL Bump feature for HTTPS content inspection
  • Create src/ssl-bump.ts - CA generation utilities
  • Update src/types.ts - Add SSL Bump configuration types
  • Update src/squid-config.ts - Add SSL Bump configuration
  • Update src/docker-manager.ts - Handle CA certificate mounting
  • Update src/cli.ts - Add CLI flags --ssl-bump and --allow-urls
  • Update containers/squid/Dockerfile - Add OpenSSL tools
  • Update containers/agent/entrypoint.sh - Add CA certificate injection
  • Add tests for SSL Bump functionality
• Fix SSL Bump issues (from PR review)
  • Call parseUrlPatterns() to transform user URLs to regex patterns
  • Fix SSL database initialization in Squid entrypoint
  • Fix port configuration (use http_port 3128 ssl-bump for explicit proxy)
  • Increase SSL certificate cache size from 4MB to 16MB
• Update documentation with power-user warnings
• Run code review
• Run CodeQL security check

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security] No TLS/HTTPS content inspection - only SNI visible</issue_title>
<issue_description>## Priority
P0 - Critical

Summary

AWF only inspects SNI (Server Name Indication) in the TLS ClientHello. It cannot see or filter based on URL paths, query parameters, or request methods for HTTPS traffic.

Current Behavior

When a client makes an HTTPS request, Squid only sees the CONNECT method with the domain:

CONNECT github.com:443 HTTP/1.1

Squid cannot distinguish between:

• https://github.com/safe-org/repo ✅
• https://github.com/malicious-org/repo ❌

Both requests are allowed if github.com is whitelisted.

Security Impact

• Data exfiltration: Malicious code can exfiltrate data to any path on allowed domains
• Access control bypass: Cannot restrict to specific repositories, API endpoints, or paths
• Audit limitations: Logs only show domain, not actual resource accessed

Code Locations

• src/squid-config.ts:108-120 - ACL rules only match dstdomain
• Squid config uses http_access allow based on domain only

Proposed Solution

Enable Squid SSL Bump

1. Generate per-session CA certificate (for security):

// Generate self-signed CA valid for 1 day only
openssl req -new -newkey rsa:2048 -days 1 -nodes -x509 \
  -subj "/CN=AWF Session CA" \
  -keyout ${workDir}/ca-key.pem -out ${workDir}/ca-cert.pem

2. Configure Squid SSL Bump (src/squid-config.ts):

http_port 3128 ssl-bump \
  cert=/etc/squid/ca-cert.pem \
  key=/etc/squid/ca-key.pem \
  generate-host-certificates=on \
  dynamic_cert_mem_cache_size=4MB

acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump bump allowed_domains
ssl_bump terminate all

3. Inject CA into agent container:

COPY ca-cert.pem /usr/local/share/ca-certificates/awf-ca.crt
RUN update-ca-certificates

4. Add URL path ACLs:

acl allowed_urls url_regex ^https://github\.com/githubnext/
http_access allow allowed_urls
http_access deny all

Security Considerations

• CA key stays in tmpfs only (never persisted)
• Generated per-session, unique to each execution
• Private key never written to logs
• Certificate valid for 1 day maximum
• Users should be informed that HTTPS traffic is inspected

Files to Modify

• src/squid-config.ts - Add SSL Bump configuration
• containers/squid/Dockerfile - Ensure OpenSSL tools available
• containers/agent/Dockerfile - CA certificate injection
• New: src/ssl-bump.ts - CA generation utilities

Testing

Add test cases:

• URL path filtering for HTTPS works
• CA injection successful
• CA key not exposed in logs
• Self-signed cert handling
• Certificate chain validation</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security] No TLS/HTTPS content inspection - only SNI visible #127

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

💥 WHOOSH! Smoke Claude springs into action on this pull request! [Panel 1 begins...]

[github-actions]

Smoke Test Results (Run #20378121588)

PR #111: docs: streamline README for first-time visitors
PR #108: feat: add install script with sha256 validation

✅ GitHub MCP Test: PASS
✅ File Write Test: PASS
✅ Bash Tool Test: PASS

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot fer issue #131 🗺️

[github-actions]

Smoke Test Results (Claude Engine)

✅ GitHub MCP: Last 2 merged PRs retrieved

• [WIP] Add tests for blocked domain detection in log parsers #119: [WIP] Add tests for blocked domain detection in log parsers
• docs: streamline README for first-time visitors #111: docs: streamline README for first-time visitors

✅ File Writing: Created test file successfully

✅ Bash Tool: File verification passed

❌ Playwright MCP: Page loaded but assets blocked (tunnel connection failures)

Overall Status: PARTIAL PASS (3/4 tests passed; Playwright networking issues expected in firewall environment)

💥 [THE END] — Illustrated by Smoke Claude fer issue #131 🗺️

[github-actions]

Test Coverage Report

Metric	Coverage	Covered/Total
Lines	69.33%	1031/1487
Statements	69.47%	1056/1520
Functions	69.09%	114/165
Branches	64.88%	353/544

Coverage Thresholds

The project has the following coverage thresholds configured:

• Lines: 38%
• Statements: 38%
• Functions: 35%
• Branches: 30%

---

Coverage report generated by `npm run test:coverage`

[Mossaka]

@copilot, please address the following issues:

1. parseUrlPatterns() is never called. User URL patterns aren't transformed to regex
2. SSL database not initialized - Squid will crash on startup
3. Port 3129 misconfigured - HTTPS traffic routing won't work

and then because this's a power-user feature, can you add documentation, and make it optional (should not come out of the box and affects perf under default mode)?

[Copilot]

@copilot, please address the following issues:

1. parseUrlPatterns() is never called. User URL patterns aren't transformed to regex
   ...

Fixed all three issues in commit af0bc2d:

1. parseUrlPatterns() now called - User URL patterns are now properly transformed to regex patterns before being passed to Squid config.

2. SSL database initialized - Squid entrypoint now initializes the SSL certificate database using security_file_certgen -c before starting. The database is mounted at /var/spool/squid_ssl_db.

3. Port configuration fixed - Changed from https_port 3129 intercept ssl-bump to http_port 3128 ssl-bump for explicit proxy mode. This works correctly with the existing proxy configuration.

Also added power-user warnings to documentation and increased SSL certificate cache from 4MB to 16MB per code review feedback.