feat(cli): add --agent-timeout flag for execution time limit

[Mossaka]

Summary

• Adds --agent-timeout <minutes> CLI flag to set a maximum execution time for agent commands
• When timeout is reached, the container is gracefully stopped (10s grace period) and AWF exits with code 124 (matching coreutils timeout convention)
• Useful for large projects (nushell, Dapper, Polly) that need configurable build/test timeouts

Changes

• src/types.ts: Added agentTimeout field to WrapperConfig
• src/cli.ts: Added --agent-timeout CLI option with validation (must be positive integer)
• src/docker-manager.ts: runAgentCommand races docker wait against a timeout, stops container on expiry
• src/cli-workflow.ts: Pass timeout through to runAgentCommand
• docs/usage.md: Document new flag
• src/cli-workflow.test.ts: Tests for timeout parameter passing

Usage

# Set 45-minute timeout for large builds
awf --agent-timeout 45 --allow-domains github.com -- make build test

# No timeout (default behavior, unchanged)
awf --allow-domains github.com -- curl https://api.github.com

Fixes #948

Test plan

• npm run build passes
• npm test passes (858 tests)
• npm run lint passes (0 errors)
• CI checks pass

🤖 Generated with Claude Code

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	82.50%	81.96%	📉 -0.54%
Statements	82.50%	81.90%	📉 -0.60%
Functions	82.69%	81.51%	📉 -1.18%
Branches	74.78%	74.31%	📉 -0.47%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	84.0% → 82.9% (-1.07%)	83.3% → 82.0% (-1.30%)
src/cli.ts	47.0% → 46.2% (-0.83%)	47.5% → 46.6% (-0.83%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Adds a configurable execution time limit for agent commands via a new --agent-timeout <minutes> CLI flag, wiring the option through the CLI workflow into container execution so long-running builds/tests can be bounded.

Changes:

• Extend WrapperConfig with agentTimeout (minutes) and document it.
• Add --agent-timeout CLI option and pass it through runMainWorkflow to runAgentCommand.
• Implement timeout behavior in runAgentCommand by racing docker wait with a timer and stopping the container on expiry (exit code 124).

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/types.ts	Adds agentTimeout?: number to wrapper configuration with JSDoc.
src/cli.ts	Introduces --agent-timeout option and parses/validates it into config.
src/docker-manager.ts	Implements timeout race + graceful container stop + exit code 124.
src/cli-workflow.ts	Threads config.agentTimeout into runAgentCommand.
src/cli-workflow.test.ts	Adds tests ensuring agentTimeout is passed to runAgentCommand.
docs/usage.md	Documents the new CLI flag in usage options.

Comments suppressed due to low confidence (1)

src/docker-manager.ts:1477

• When the timeout wins Promise.race, waitPromise is left running without any cancellation/handling. If docker wait later rejects (e.g., container removed), this can surface as an unhandled rejection. Consider aborting docker wait via an AbortController/execa signal, or at least attaching a .catch() to waitPromise to ensure late failures are handled.

      const waitPromise = execa('docker', ['wait', 'awf-agent']).then(result => ({
        type: 'completed' as const,
        exitCodeStr: result.stdout,
      }));

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The timeout implementation schedules a setTimeout but never clears/unrefs it when docker wait wins the race. In Node.js, that pending timer will keep the event loop alive, causing awf to hang until the timeout duration elapses even after the agent command finishes. Please keep a handle to the timer and clearTimeout() (or timeout.unref()) once the wait completes.

This issue also appears on line 1474 of the same file.

[Copilot]

--agent-timeout is documented/validated as a "positive integer", but parseInt() will accept values like "30m" or "1.5" (parsed as 30 / 1) and pass the current checks. To match the error message and avoid surprising behavior, validate the raw string (e.g., ^[1-9]\d*$) before parsing.

Suggested change

	const timeoutMinutes = parseInt(options.agentTimeout, 10);
	if (isNaN(timeoutMinutes) || timeoutMinutes <= 0) {
	logger.error('--agent-timeout must be a positive integer (minutes)');
	process.exit(1);
	}
	if (!/^[1-9]\d*$/.test(options.agentTimeout)) {
	logger.error('--agent-timeout must be a positive integer (minutes)');
	process.exit(1);
	}
	const timeoutMinutes = parseInt(options.agentTimeout, 10);

[Copilot]

This PR adds new timeout behavior in runAgentCommand, but src/docker-manager.test.ts already has unit tests for this function and none cover the timeout path (exit code 124 + docker stop call + log streaming completion). Adding a focused test would help prevent regressions around the new race/stop logic.

[github-actions]

🤖 Smoke test results for @Mossaka (no assignees)

✅ GitHub MCP: #1232 fix(cli): clear LD_PRELOAD after one-shot-token library loads, #1231 fix(ci): update Copilot CLI version from 0.0.411 to 0.0.421
✅ Playwright: github.com title contains "GitHub"
✅ File write: /tmp/gh-aw/agent/smoke-test-copilot-22967766475.txt created and verified
✅ Bash: file read back successfully

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot for issue #1242

[github-actions]

Smoke Test Results

• ✅ GitHub MCP: fix(cli): clear LD_PRELOAD after one-shot-token library loads #1232 fix(cli): clear LD_PRELOAD after one-shot-token library loads, fix(ci): update Copilot CLI version from 0.0.411 to 0.0.421 #1231 fix(ci): update Copilot CLI version from 0.0.411 to 0.0.421
• ✅ Playwright: GitHub page title verified
• ✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-22967766576.txt created
• ✅ Bash: File contents verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1242

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: ❌ Not all versions match — Python and Node.js differ between host and chroot environments.

Tested by Smoke Chroot for issue #1242

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	82.50%	82.47%	📉 -0.03%
Statements	82.50%	82.48%	📉 -0.02%
Functions	82.69%	82.93%	📈 +0.24%
Branches	74.78%	74.57%	📉 -0.21%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/cli.ts	47.0% → 46.2% (-0.83%)	47.5% → 46.6% (-0.83%)
src/docker-manager.ts	84.0% → 84.8% (+0.87%)	83.3% → 84.2% (+0.91%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test Results

• ✅ GitHub MCP: test(docker): verify capsh execution chain after PR #715 #1240 test(docker): verify capsh execution chain after PR fix: eliminate nested bash layer in chroot command execution for Java/.NET #715 | fix(cli): clear LD_PRELOAD after one-shot-token library loads #1232 fix(cli): clear LD_PRELOAD after one-shot-token library loads
• ✅ Playwright: Page title contains "GitHub"
• ✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-22968247247.txt created
• ✅ Bash: File contents verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1242

[github-actions]

🔬 Smoke test results for run 22968247277:

• ✅ GitHub MCP: test(docker): verify capsh execution chain after PR #715 #1240 "test(docker): verify capsh execution chain after PR fix: eliminate nested bash layer in chroot command execution for Java/.NET #715", fix(cli): clear LD_PRELOAD after one-shot-token library loads #1232 "fix(cli): clear LD_PRELOAD after one-shot-token library loads"
• ✅ Playwright: github.com title contains "GitHub"
• ✅ File write: /tmp/gh-aw/agent/smoke-test-copilot-22968247277.txt created
• ✅ Bash: File verified via cat

Overall: PASS | Author: @Mossaka

📰 BREAKING: Report filed by Smoke Copilot for issue #1242

[github-actions]

Merged PRs:
test(docker): verify capsh execution chain after PR #715
fix(cli): clear LD_PRELOAD after one-shot-token library loads
GitHub MCP merged PRs review ✅
Safeinputs gh pr list ✅
Playwright title check ✅
Tavily web search ❌
File write ✅
Bash cat ✅
Discussion query+comment ✅
Build (npm ci && npm run build) ✅
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1242

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌
Node.js	v24.14.0	v20.20.0	❌
Go	go1.22.12	go1.22.12	✅

Result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot for issue #1242

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	83.46%	83.46%	➡️ +0.00%
Statements	83.45%	83.46%	➡️ +0.01%
Functions	83.64%	83.94%	📈 +0.30%
Branches	76.15%	76.14%	📉 -0.01%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/cli.ts	54.3% → 54.0% (-0.32%)	54.8% → 54.5% (-0.33%)
src/docker-manager.ts	85.1% → 85.9% (+0.83%)	84.4% → 85.3% (+0.87%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke test results for run 22968551101 — @Mossaka

✅ GitHub MCP: #1240 "test(docker): verify capsh execution chain after PR #715", #1232 "fix(cli): clear LD_PRELOAD after one-shot-token library loads"
✅ Playwright: github.com title contains "GitHub"
✅ File write: /tmp/gh-aw/agent/smoke-test-copilot-22968551101.txt created
✅ Bash verify: file read back successfully

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot for issue #1242

[github-actions]

Smoke Test Results

Last 2 merged PRs:

• test(docker): verify capsh execution chain after PR #715 #1240: test(docker): verify capsh execution chain after PR fix: eliminate nested bash layer in chroot command execution for Java/.NET #715
• fix(cli): clear LD_PRELOAD after one-shot-token library loads #1232: fix(cli): clear LD_PRELOAD after one-shot-token library loads

Test	Result
GitHub MCP (merged PRs)	✅
Playwright (github.com title contains "GitHub")	✅
File writing	✅
Bash verification	✅

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1242

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: FAILED — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot for issue #1242

[github-actions]

PR titles: feat(cli): add --agent-timeout flag for execution time limit | feat(cli): organize help text with logical option groups
GitHub MCP (last 2 merged PRs): ✅
safeinputs-gh PR list: ✅
Playwright title: ✅
Tavily web search: ❌ (tool unavailable)
File write: ✅
Bash cat: ✅
Discussion comment: ✅
Build (npm ci && npm run build): ✅
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1242

[github-actions]

Smoke Test Results

✅ GitHub MCP — Last 2 merged PRs: #1240 "test(docker): verify capsh execution chain after PR #715", #1163 "test: expand credential hiding tests to all 14 protected paths"
✅ Playwright — github.com title contains "GitHub"
✅ File Write — /tmp/gh-aw/agent/smoke-test-claude-22969587359.txt created
✅ Bash — File contents verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1242

[github-actions]

Smoke Test Results (run #22969587337)

✅ GitHub MCP: Last 2 merged PRs retrieved — #1240 test(docker): verify capsh execution chain after PR #715, #1232 fix(cli): clear LD_PRELOAD after one-shot-token library loads
✅ Playwright: github.com title contains "GitHub"
✅ File write: /tmp/gh-aw/agent/smoke-test-copilot-22969587337.txt created and verified
✅ Bash: cat confirmed file contents

Overall: PASS — @Mossaka

📰 BREAKING: Report filed by Smoke Copilot for issue #1242

[github-actions]

Merged PRs reviewed: test: expand credential hiding tests to all 14 protected paths; test(docker): verify capsh execution chain after PR #715
Test 1 GitHub MCP merged PR review ✅
Test 2 safeinputs-gh pr list ✅
Test 3 Playwright title ✅
Test 4 Tavily search ❌
Test 5 file write ✅
Test 6 bash cat ✅
Test 7 discussion comment ✅
Test 8 build ✅
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1242

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: ❌ Not all versions match — Go matches, but Python and Node.js differ between host and chroot environments.

Tested by Smoke Chroot for issue #1242

[github-actions]

Smoke test results
Merged PRs reviewed: chore(deps): aggregated dependency updates; docs: document flag validation constraints
safeinputs-gh pr list: PASS
Playwright github title: PASS
Tavily search: FAIL (tool unavailable)
File write: PASS
Bash cat: PASS
Discussion comment: PASS
Build (npm ci && npm run build): PASS
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1242

[github-actions]

Smoke Test Results ✅ PASS

Test	Result
GitHub MCP (last 2 merged PRs)	✅ #1262 "test: add logger/aggregator tests for blocked domain detection", #1261 "ci: skip CI when only release.yml changes"
Playwright (github.com title)	✅ "GitHub · Change is constant..."
File write	✅ /tmp/gh-aw/agent/smoke-test-copilot-23021614864.txt created
Bash verification	✅ cat confirmed file contents

PR author: @Mossaka | No assignees

📰 BREAKING: Report filed by Smoke Copilot for issue #1242

[github-actions]

Smoke Test Results — PASS

• ✅ GitHub MCP: chore(deps): bump devalue from 5.6.3 to 5.6.4 in /docs-site #1256 chore(deps): bump devalue, test: add logger/aggregator tests for blocked domain detection #1262 test: add logger/aggregator tests
• ✅ Playwright: github.com title contains "GitHub"
• ✅ File write: /tmp/gh-aw/agent/smoke-test-claude-23021614822.txt created
• ✅ Bash verify: file contents confirmed

💥 [THE END] — Illustrated by Smoke Claude for issue #1242

[github-actions]

GitHub MCP merged PRs: ✅ test: add logger/aggregator tests for blocked domain detection; feat(cli): organize help text with logical option groups
safeinputs-gh PR list: ✅ Add GitHub Enterprise Cloud/Server support and documentation; fix(docker): simplify security model - remove direct DNS exceptions
Playwright GitHub title check: ✅
Tavily web search: ❌ (tool unavailable)
File write: ✅
Bash cat verify: ✅
Discussion query + comment: ✅
Build (npm ci && npm run build): ✅
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1242

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot for issue #1242

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	83.46%	83.74%	📈 +0.28%
Statements	83.45%	83.74%	📈 +0.29%
Functions	83.64%	84.01%	📈 +0.37%
Branches	76.15%	76.47%	📈 +0.32%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	85.1% → 85.9% (+0.83%)	84.4% → 85.3% (+0.87%)
src/cli.ts	54.3% → 55.5% (+1.14%)	54.8% → 56.0% (+1.20%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	83.46%	83.74%	📈 +0.28%
Statements	83.45%	83.74%	📈 +0.29%
Functions	83.64%	84.01%	📈 +0.37%
Branches	76.15%	76.47%	📈 +0.32%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	85.1% → 85.9% (+0.83%)	84.4% → 85.3% (+0.87%)
src/cli.ts	54.3% → 55.5% (+1.14%)	54.8% → 56.0% (+1.20%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot for issue #1242

[github-actions]

Smoke Test Results

• ✅ GitHub MCP: test: add logger/aggregator tests for blocked domain detection #1262 test: add logger/aggregator tests for blocked domain detection / ci: skip CI when only release.yml changes #1261 ci: skip CI when only release.yml changes
• ✅ Playwright: GitHub page title verified
• ✅ File write: /tmp/gh-aw/agent/smoke-test-claude-23021896260.txt created
• ✅ Bash: File contents verified

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1242

[github-actions]

Smoke Test Results

Last 2 merged PRs (@Mossaka):

• test: add logger/aggregator tests for blocked domain detection #1262: test: add logger/aggregator tests for blocked domain detection
• ci: skip CI when only release.yml changes #1261: ci: skip CI when only release.yml changes

Test	Result
GitHub MCP (PR list)	✅
Playwright (github.com title)	✅
File write	✅
Bash (cat verification)	✅

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot for issue #1242

[github-actions]

PRs: test: add logger/aggregator tests for blocked domain detection | ci: skip CI when only release.yml changes
GitHub MCP (merged PRs): ✅
Safeinputs gh pr list: ✅
Playwright title check: ✅
Tavily web search: ❌
File write: ✅
Bash cat verify: ✅
Discussion comment: ✅
Build (npm ci && npm run build): ✅
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1242

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	83.46%	83.75%	📈 +0.29%
Statements	83.45%	83.75%	📈 +0.30%
Functions	83.64%	84.01%	📈 +0.37%
Branches	76.15%	76.43%	📈 +0.28%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	85.1% → 86.0% (+0.86%)	84.4% → 85.3% (+0.89%)
src/cli.ts	54.3% → 55.5% (+1.14%)	54.8% → 56.0% (+1.20%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test Results

• ✅ GitHub MCP: fix: add missing formatItem and program imports in cli.test.ts #1265 fix: add missing formatItem and program imports in cli.test.ts / test: add logger/aggregator tests for blocked domain detection #1262 test: add logger/aggregator tests for blocked domain detection
• ✅ Playwright: GitHub page title verified
• ✅ File Write: /tmp/gh-aw/agent/smoke-test-claude-23022503444.txt created
• ✅ Bash: File contents confirmed

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1242

[github-actions]

Merged PRs reviewed: fix: add missing formatItem and program imports in cli.test.ts; test: add logger/aggregator tests for blocked domain detection
Test 1 GitHub MCP review: PASS
Test 2 safeinputs-gh PR list: PASS
Test 3 Playwright title: PASS
Test 4 Tavily search: FAIL (missing tool)
Test 5 file write+cat: PASS
Test 7 discussion query+comment: PASS
Test 8 build: PASS
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1242

[github-actions]

Smoke Test Results ✅ PASS

Test	Result
GitHub MCP: Last 2 merged PRs	✅
Playwright: github.com title check	✅
File write/read	✅
Bash execution	✅

Last 2 merged PRs:

• fix: add missing formatItem and program imports in cli.test.ts #1265 fix: add missing formatItem and program imports in cli.test.ts by @Copilot
• test: add logger/aggregator tests for blocked domain detection #1262 test: add logger/aggregator tests for blocked domain detection by @Mossaka

cc @Mossaka

📰 BREAKING: Report filed by Smoke Copilot for issue #1242

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot for issue #1242

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1242 · ◷