fix(squid): run Squid container as non-root user

[Mossaka]

Summary

Fixes #250

• Install gosu in the Squid container Dockerfile for privilege de-escalation
• Set directory ownership for the proxy user (UID 13) during image build
• Update entrypoint to fix mounted directory permissions then drop to proxy user via gosu proxy squid -N -d 1

Changes

• containers/squid/Dockerfile: Added gosu to installed packages, created and chowned /var/run/squid and /var/spool/squid directories for proxy user
• containers/squid/entrypoint.sh: Added permission fixes for /etc/squid, /var/run/squid, /var/spool/squid, and uses gosu proxy to start Squid as non-root

Test plan

• npm run build passes
• 821 unit tests pass
• npm run lint - 0 errors
• CI integration tests (domain filtering, SSL Bump) pass with non-root Squid
• docker exec awf-squid whoami returns proxy

🤖 Generated with Claude Code

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.03%	82.18%	📈 +0.15%
Statements	82.01%	82.15%	📈 +0.14%
Functions	82.50%	82.50%	➡️ +0.00%
Branches	74.20%	74.29%	📈 +0.09%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	83.1% → 83.7% (+0.56%)	82.4% → 83.0% (+0.54%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS 🎉

Generated by Build Test C++ for issue #1153

[github-actions]

🦀 Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: ✅ PASS

Generated by Build Test Rust for issue #1153

[github-actions]

Build Test: Node.js Results ✅

Project	Install	Tests	Status
clsx	✅	✅	PASS
execa	✅	✅	PASS
p-limit	✅	✅	PASS

Overall: PASS

Generated by Build Test Node.js for issue #1153

[github-actions]

Smoke Test Results ✅ PASS

Test	Result
GitHub MCP — last 2 merged PRs: fix(deps): resolve minimatch ReDoS and ajv vulnerabilities (#1152), chore(deps): bump svgo from 4.0.0 to 4.0.1 (#1146)	✅
Playwright — github.com title contains "GitHub"	✅
File write — /tmp/gh-aw/agent/smoke-test-copilot-22732758278.txt	✅
Bash tool — file verified via cat	✅

Overall: PASS — @Mossaka

📰 BREAKING: Report filed by Smoke Copilot for issue #1153

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• fix(deps): resolve minimatch ReDoS and ajv vulnerabilities #1152: fix(deps): resolve minimatch ReDoS and ajv vulnerabilities
• fix: add explicit execute directive to smoke-codex to prevent noop #1078: fix: add explicit execute directive to smoke-codex to prevent noop

Test	Result
GitHub MCP (list merged PRs)	✅
Playwright (github.com title check)	✅
File write (smoke-test-claude-22732758304.txt)	✅
Bash verification (cat file)	✅

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1153

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS

Run output

hello-world:

Hello, World!
```

**json-parse:**
```
{
  "Name": "AWF Test",
  "Version": 1,
  "Success": true
}
Name: AWF Test, Success: True

Generated by Build Test .NET for issue #1153

[github-actions]

Build Test: Deno ✅

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: PASS

Generated by Build Test Deno for issue #1153

[github-actions]

PR titles: fix(deps): resolve minimatch ReDoS and ajv vulnerabilities | fix: add explicit execute directive to smoke-codex to prevent noop
GitHub MCP: ✅
safeinputs-gh: ✅
Playwright: ✅
Tavily search: ❌ (tool unavailable)
File write: ✅
Bash cat: ✅
Discussion comment: ✅
Build: ✅
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1153

[github-actions]

Java Build Test Results

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS ✅

Generated by Build Test Java for issue #1153

[github-actions]

🧪 Build Test: Bun

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: ✅ PASS

Bun version: 1.3.10

Generated by Build Test Bun for issue #1153

[github-actions]

Go Build Test Results ✅

Project	Download	Tests	Status
color	✅	PASS	PASS
env	✅	PASS	PASS
uuid	✅	PASS	PASS

Overall: PASS

Generated by Build Test Go for issue #1153

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: ❌ Not all runtimes match — Python and Node.js versions differ between host and chroot environment.

Tested by Smoke Chroot for issue #1153