fix(docker): disable IPv6 when ip6tables unavailable

[Mossaka]

Summary

Fixes #245

When ip6tables is not available, IPv6 traffic previously bypassed all firewall filtering rules. This PR:

• Host-level (src/host-iptables.ts): Disables IPv6 via sysctl -w net.ipv6.conf.all.disable_ipv6=1 when ip6tables is unavailable, and re-enables on cleanup
• Container-level (containers/agent/setup-iptables.sh): Disables IPv6 via sysctl in the agent container when ip6tables is unavailable
• Adds unit tests verifying sysctl disable/re-enable behavior

Test plan

• Unit tests pass (824 tests, 0 failures)
• Build succeeds
• Lint passes (0 errors)
• CI integration tests pass

🤖 Generated with Claude Code

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.03%	82.50%	📈 +0.47%
Statements	82.01%	82.47%	📈 +0.46%
Functions	82.50%	82.75%	📈 +0.25%
Branches	74.20%	74.46%	📈 +0.26%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	83.1% → 83.7% (+0.56%)	82.4% → 83.0% (+0.54%)
src/host-iptables.ts	77.5% → 81.0% (+3.49%)	77.7% → 81.2% (+3.44%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Go Build Test Results

Project	Download	Tests	Status
color	✅	PASS	✅ PASS
env	✅	PASS	✅ PASS
uuid	✅	PASS	✅ PASS

Overall: ✅ PASS

Generated by Build Test Go for issue #1154

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

Deno version: 2.7.4

Generated by Build Test Deno for issue #1154

[github-actions]

Smoke Test Results — PASS

• ✅ GitHub MCP: fix: add explicit execute directive to smoke-codex to prevent noop #1078 fix: add explicit execute directive to smoke-codex to prevent noop / fix(deps): resolve high-severity rollup vulnerability in docs-site #1069 fix(deps): resolve high-severity rollup vulnerability in docs-site
• ✅ Playwright: GitHub page title verified
• ✅ File write: /tmp/gh-aw/agent/smoke-test-claude-22732230930.txt created
• ✅ Bash verify: file contents confirmed

💥 [THE END] — Illustrated by Smoke Claude for issue #1154

[github-actions]

Bun Build Test Results

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: ✅ PASS

Bun version: 1.3.10

Generated by Build Test Bun for issue #1154

[github-actions]

Smoke Test Results — @Mossaka

✅ GitHub MCP: Last 2 merged PRs: #1078 "fix: add explicit execute directive to smoke-codex to prevent noop", #1070 "chore: investigate issue duplication detector workflow failure"
✅ Playwright: github.com title contains "GitHub"
✅ File Write: /tmp/gh-aw/agent/smoke-test-copilot-22732230982.txt created
✅ Bash: File verified via cat

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot for issue #1154

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS 🎉

Generated by Build Test C++ for issue #1154

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.12	Python 3.12.3	❌ NO
Node.js	v24.14.0	v20.20.0	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Result: FAILED — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot for issue #1154

[github-actions]

PR titles: fix: add explicit execute directive to smoke-codex to prevent noop | fix(deps): resolve high-severity rollup vulnerability in docs-site | fix(docker): disable IPv6 when ip6tables unavailable | fix(squid): run Squid container as non-root user
Tests: GitHub MCP review ✅; safeinputs-gh PR list ✅; Playwright title ✅; Tavily search ❌
Tests: file write ✅; bash cat ✅; discussion comment ✅; build awf ✅
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1154

[github-actions]

Java Build Test Results

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: PASS ✅

All Java projects compiled and tests passed successfully.

Generated by Build Test Java for issue #1154

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS

Run output

hello-world:

Hello, World!
```

**json-parse:**
```
{
  "Name": "AWF Test",
  "Version": 1,
  "Success": true
}
Name: AWF Test, Success: True

Generated by Build Test .NET for issue #1154

[github-actions]

Build Test: Node.js ✅

Project	Install	Tests	Status
clsx	✅	PASS	PASS
execa	✅	PASS	PASS
p-limit	✅	PASS	PASS

Overall: PASS

Generated by Build Test Node.js for issue #1154

[github-actions]

Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: ✅ PASS

Generated by Build Test Rust for issue #1154

[github-actions]

🦀 Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: ✅ PASS

Generated by Build Test Rust for issue #1154

[github-actions]

Build Test: Bun ✅

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS

Generated by Build Test Bun for issue #1154

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS ✅

Run output

hello-world:

Hello, World!
```

**json-parse:**
```
{
  "Name": "AWF Test",
  "Version": 1,
  "Success": true
}
Name: AWF Test, Success: True

Generated by Build Test .NET for issue #1154

[github-actions]

🤖 Smoke Test Results

✅ GitHub MCP — Last 2 merged PRs: fix(squid): run Squid container as non-root user (#1153), fix(deps): resolve minimatch ReDoS and ajv vulnerabilities (#1152) — by @Mossaka
✅ Playwright — https://github.com title contains "GitHub"
✅ File Writing — /tmp/gh-aw/agent/smoke-test-copilot-22732846824.txt created successfully
✅ Bash Tool — File content verified via cat

Overall: PASS | Author: @Mossaka | Assignees: none

📰 BREAKING: Report filed by Smoke Copilot for issue #1154

[github-actions]

Go Build Test Results 🟢

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS

Generated by Build Test Go for issue #1154

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS

Generated by Build Test C++ for issue #1154

[github-actions]

Smoke Test Results

• ✅ GitHub MCP: fix(squid): run Squid container as non-root user #1153 fix(squid): run Squid container as non-root user, fix(docker): disable IPv6 when ip6tables unavailable #1154 fix(docker): disable IPv6 when ip6tables unavailable
• ✅ Playwright: GitHub page title contains "GitHub"
• ✅ File write: /tmp/gh-aw/agent/smoke-test-claude-22732846830.txt created
• ✅ Bash verify: file contents confirmed

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude for issue #1154

[github-actions]

🟢 Build Test: Node.js — PASS

Project	Install	Tests	Status
clsx	✅	PASS	✅ PASS
execa	✅	PASS	✅ PASS
p-limit	✅	PASS	✅ PASS

Overall: ✅ PASS

Generated by Build Test Node.js for issue #1154

[github-actions]

GitHub MCP (merged PRs): ✅
fix(squid): run Squid container as non-root user
fix(docker): disable IPv6 when ip6tables unavailable
safeinputs-gh PR list: ✅
Playwright title check: ✅
Tavily search: ❌
File writing: ✅
Bash cat verify: ✅
Discussion comment: ✅
Build (npm ci && npm run build): ✅
Overall: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1154

[github-actions]

Build Test: Deno ✅

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: PASS

Deno 2.7.4 — all tests completed successfully.

Generated by Build Test Deno for issue #1154

[github-actions]

Java Build Test Results

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: ✅ PASS

Generated by Build Test Java for issue #1154