fix(squid): block direct IP connections that bypass domain filtering

[Mossaka]

Summary

• Adds Squid ACLs (dst_ipv4, dst_ipv6) to deny CONNECT requests targeting raw IP addresses (both IPv4 and IPv6)
• Prevents attackers from bypassing domain-based filtering by connecting directly to IP addresses using HTTPS
• IP deny rules are placed before domain allow/deny rules for defense-in-depth

Details

When a client connects directly to an IP address using HTTPS (e.g., curl -k https://140.82.114.4/), Squid sees only the IP in the CONNECT request with no domain to match against the ACL. This change explicitly denies such requests at the Squid level, complementing the existing host-level iptables default-deny rule.

Test plan

• Unit tests verify IPv4 deny ACL is present in generated config
• Unit tests verify IPv6 deny ACL is present in generated config
• Unit tests verify IP deny rules are ordered before domain rules
• Unit tests verify IP deny rules present even with empty domain list
• Unit tests verify IP deny rules present in SSL Bump mode
• All 125 squid-config tests pass
• Full test suite passes (706 tests)
• Lint passes (0 errors)

Fixes #137

🤖 Generated with Claude Code

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.27%	82.41%	📈 +0.14%
Statements	82.17%	82.30%	📈 +0.13%
Functions	82.60%	82.60%	➡️ +0.00%
Branches	74.12%	74.21%	📈 +0.09%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	83.0% → 83.6% (+0.55%)	82.4% → 82.9% (+0.53%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Build Test: Bun Results ✅

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS

Bun v1.3.10

Generated by Build Test Bun for issue #1160

[github-actions]

🦀 Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: ✅ PASS

Generated by Build Test Rust for issue #1160

[github-actions]

Smoke test results — Claude (claude-sonnet-4-6)

Test	Result
GitHub MCP — PR #1159: fix(security): eliminate TOCTOU race conditions in ssl-bump.ts	✅
GitHub MCP — PR #1158: fix(security): stop logging partial token values	✅
Playwright — github.com title contains "GitHub"	✅
File write + bash verify	✅

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1160

[github-actions]

Smoke Test Results — Copilot Engine

✅ GitHub MCP: Last 2 merged PRs: #1159: fix(security): eliminate TOCTOU race conditions in ssl-bump.ts | #1158: fix(security): stop logging partial token values (both by @Mossaka)
✅ Playwright: https://github.com title contains "GitHub"
✅ File Write: /tmp/gh-aw/agent/smoke-test-copilot-22733894287.txt created and verified
✅ Bash: File content confirmed via cat

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot for issue #1160

[github-actions]

Build Test: Deno ✅

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: PASS

Test output details

oak:

running 1 test from ./test.ts
oak test ... ok (0ms)
ok | 1 passed | 0 failed (2ms)
```

**std:**
```
running 1 test from ./test.ts
std test ... ok (0ms)
ok | 1 passed | 0 failed (2ms)

Generated by Build Test Deno for issue #1160

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS

Run output

hello-world:

Hello, World!
```

**json-parse:**
```
{
  "Name": "AWF Test",
  "Version": 1,
  "Success": true
}
Name: AWF Test, Success: True

Generated by Build Test .NET for issue #1160

[github-actions]

Build Test: Node.js ✅

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS

Generated by Build Test Node.js for issue #1160

[github-actions]

Go Build Test Results ✅

Project	Download	Tests	Status
color	✅	PASS	PASS
env	✅	PASS	PASS
uuid	✅	PASS	PASS

Overall: PASS

Generated by Build Test Go for issue #1160

[github-actions]

PRs reviewed: fix(security): eliminate TOCTOU race conditions in ssl-bump.ts; fix(security): stop logging partial token values
GitHub MCP (last 2 merged PRs) ✅
safeinputs-gh pr list ✅
Playwright title check ✅
Tavily search ❌
File write ✅
Bash cat ✅
Discussion comment ✅
Build (npm ci && npm run build) ✅
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1160

[github-actions]

Java Build Test Results ☕

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: ✅ PASS

Both projects compiled and all tests passed successfully.

Generated by Build Test Java for issue #1160

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: FAILED — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot for issue #1160

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

Generated by Build Test C++ for issue #1160