Add awf-squid bootstrap retry for healthcheck race condition

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Author: Copilot

pkg/workflow/awf_config_test.go

@@ -1045,6 +1045,78 @@ func TestBuildAWFCommand_UsesConfigFile(t *testing.T) {
 	assert.Contains(t, command, `"enabled":true`, "config JSON should have apiProxy enabled")
 }
 
+// TestBuildAWFCommand_SquidBootstrapRetry verifies that BuildAWFCommand wraps the AWF
+// invocation in a bootstrap retry loop that fires on awf-squid healthcheck failures.
+func TestBuildAWFCommand_SquidBootstrapRetry(t *testing.T) {
+	config := AWFCommandConfig{
+		EngineName:     "copilot",
+		EngineCommand:  "copilot --prompt-file /tmp/prompt.txt",
+		LogFile:        "/tmp/gh-aw/agent-stdio.log",
+		AllowedDomains: "github.com",
+		WorkflowData: &WorkflowData{
+			EngineConfig: &EngineConfig{ID: "copilot"},
+			NetworkPermissions: &NetworkPermissions{
+				Firewall: &FirewallConfig{Enabled: true},
+			},
+		},
+	}
+
+	command := BuildAWFCommand(config)
+
+	// Retry loop scaffolding must be present.
+	assert.Contains(t, command, "awf_bootstrap_retry_max=2",
+		"expected retry max counter")
+	assert.Contains(t, command, "awf_bootstrap_retry_attempt=0",
+		"expected retry attempt counter initialised to 0")
+	assert.Contains(t, command, "while true; do",
+		"expected retry while-loop")
+
+	// Per-attempt temp log must be created with restricted permissions.
+	assert.Contains(t, command, "umask 177",
+		"expected restricted permissions on per-attempt log")
+	assert.Contains(t, command, `mktemp "${RUNNER_TEMP:-/tmp}/awf-startup-XXXXXX.log"`,
+		"expected mktemp for per-attempt log")
+
+	// set +e / set -e must bracket the AWF pipeline so PIPESTATUS can be read
+	// even when the GitHub Actions runner uses bash -e (errexit).
+	setEOffIdx := strings.Index(command, "set +e")
+	awfIdx := strings.Index(command, "sudo -E awf")
+	setEOnIdx := strings.Index(command, "set -e")
+	assert.GreaterOrEqual(t, setEOffIdx, 0, "expected set +e before AWF pipeline")
+	assert.Less(t, setEOffIdx, awfIdx, "set +e must precede the AWF invocation")
+	assert.Less(t, awfIdx, setEOnIdx, "set -e must follow the AWF invocation")
+
+	// Exit code must be captured via PIPESTATUS[0] (not $?).
+	assert.Contains(t, command, "awf_exit=${PIPESTATUS[0]}",
+		"expected PIPESTATUS[0] to capture AWF exit code through the pipeline")
+
+	// Output must be split: per-attempt log (for grep) and main log (accumulated).
+	assert.Contains(t, command, `tee "$awf_attempt_log"`,
+		"expected per-attempt log written via tee for grep check")
+	assert.Contains(t, command, `tee -a /tmp/gh-aw/agent-stdio.log`,
+		"expected main log appended via tee -a")
+
+	// Retry condition must detect the specific squid unhealthy pattern.
+	assert.Contains(t, command, "dependency failed to start: container awf-squid is unhealthy",
+		"expected squid healthcheck failure pattern in retry condition")
+
+	// WARN message on retry and ERROR message on terminal failure.
+	assert.Contains(t, command, "[WARN] AWF bootstrap: awf-squid healthcheck failure on attempt",
+		"expected WARN message on retry")
+	assert.Contains(t, command, "[ERROR] AWF bootstrap: awf-squid healthcheck failure after all attempts",
+		"expected ERROR message on terminal failure")
+
+	// Squid container logs must be captured on terminal failure.
+	assert.Contains(t, command, "docker logs awf-squid",
+		"expected docker logs awf-squid captured on terminal failure")
+
+	// AWF must still be invoked with the standard flags.
+	assert.Contains(t, command, "sudo -E awf",
+		"expected sudo -E awf invocation inside retry loop")
+	assert.Contains(t, command, "--skip-pull",
+		"expected --skip-pull flag passed to AWF")
+}
+
 func TestBuildAWFCommand_ModelMultipliersLoadedFromFile(t *testing.T) {
 	config := AWFCommandConfig{
 		EngineName:    "copilot",

pkg/workflow/awf_helpers.go

@@ -300,6 +300,20 @@ fi`,
 	// pre-agent overhead such as workspace audit and CLI proxy startup.
 	writeAgentCLIStartMs := "printf '%s' \"$(date +%s%3N)\" > " + shellEscapeArg(AgentCLIStartMsPath)
 
+	// Build the AWF invocation with a one-shot bootstrap retry for transient awf-squid
+	// startup healthcheck failures. AWF v0.25.57+ already increases the squid healthcheck
+	// window (start_period=5s, retries=10, interval=2s), but this shell-level retry adds
+	// defence-in-depth for severely loaded runners that may still exhaust the probe window.
+	awfRunWithRetry := buildAWFSquidBootstrapRetry(
+		awfCommand,
+		expandableArgs,
+		toolCacheMountRef,
+		arcDindPrefixArgsRef,
+		awfArgs,
+		shellWrappedCommand,
+		config.LogFile,
+	)
+
 	// Build the complete command with proper formatting.
 	// configFileSetup (if non-empty) writes the AWF config JSON immediately before the
 	// AWF invocation so the file is present when AWF parses --config.
@@ -312,22 +326,14 @@ fi`,
 %s
 %s
 %s
-# shellcheck disable=SC1003
-%s %s %s %s %s \
-  -- %s 2>&1 | tee -a %s`,
+%s`,
 			writeAgentCLIStartMs,
 			config.PathSetup,
 			preCreateLog,
 			configFileSetup,
 			arcDindPrefixProbe,
 			toolCacheMountProbe,
-			awfCommand,
-			expandableArgs,
-			toolCacheMountRef,
-			arcDindPrefixArgsRef,
-			shellJoinArgs(awfArgs),
-			shellWrappedCommand,
-			shellEscapeArg(config.LogFile))
+			awfRunWithRetry)
 	} else if config.PathSetup != "" {
 		// Include path setup before AWF command (runs on host before AWF)
 		command = fmt.Sprintf(`set -o pipefail
@@ -336,69 +342,121 @@ fi`,
 %s
 %s
 %s
-# shellcheck disable=SC1003
-%s %s %s %s %s \
-  -- %s 2>&1 | tee -a %s`,
+%s`,
 			writeAgentCLIStartMs,
 			config.PathSetup,
 			preCreateLog,
 			arcDindPrefixProbe,
 			toolCacheMountProbe,
-			awfCommand,
-			expandableArgs,
-			toolCacheMountRef,
-			arcDindPrefixArgsRef,
-			shellJoinArgs(awfArgs),
-			shellWrappedCommand,
-			shellEscapeArg(config.LogFile))
+			awfRunWithRetry)
 	} else if configFileSetup != "" {
 		command = fmt.Sprintf(`set -o pipefail
 %s
 %s
 %s
 %s
 %s
-# shellcheck disable=SC1003
-%s %s %s %s %s \
-  -- %s 2>&1 | tee -a %s`,
+%s`,
 			writeAgentCLIStartMs,
 			preCreateLog,
 			configFileSetup,
 			arcDindPrefixProbe,
 			toolCacheMountProbe,
-			awfCommand,
-			expandableArgs,
-			toolCacheMountRef,
-			arcDindPrefixArgsRef,
-			shellJoinArgs(awfArgs),
-			shellWrappedCommand,
-			shellEscapeArg(config.LogFile))
+			awfRunWithRetry)
 	} else {
 		command = fmt.Sprintf(`set -o pipefail
 %s
 %s
 %s
 %s
-# shellcheck disable=SC1003
-%s %s %s %s %s \
-  -- %s 2>&1 | tee -a %s`,
+%s`,
 			writeAgentCLIStartMs,
 			preCreateLog,
 			arcDindPrefixProbe,
 			toolCacheMountProbe,
-			awfCommand,
-			expandableArgs,
-			toolCacheMountRef,
-			arcDindPrefixArgsRef,
-			shellJoinArgs(awfArgs),
-			shellWrappedCommand,
-			shellEscapeArg(config.LogFile))
+			awfRunWithRetry)
 	}
 
 	awfHelpersLog.Print("Successfully built AWF command")
 	return command
 }
 
+// buildAWFSquidBootstrapRetry returns the shell fragment that invokes AWF with a
+// one-shot retry for transient awf-squid startup healthcheck failures.
+//
+// Motivation: Docker compose uses a depends_on healthcheck condition for the
+// awf-squid container. On loaded runners the squid proxy can take longer to
+// bind its listening port than the healthcheck window allows, which causes
+// "dependency failed to start: container awf-squid is unhealthy" and an
+// immediate exit-1 with no agent output. AWF v0.25.57+ increased the probe
+// window (start_period 2s→5s, retries 5→10, interval 1s→2s), but a shell-level
+// retry provides defence-in-depth for edge cases on severely loaded runners.
+//
+// Retry policy:
+//   - Max 2 attempts (awf_bootstrap_retry_max=2): one initial attempt + one retry.
+//   - 10s sleep between attempts to let Docker settle.
+//   - Retry fires only on the specific squid healthcheck error pattern; all other
+//     AWF failures propagate immediately with the original exit code.
+//   - On terminal failure (retries exhausted) the squid container logs are captured
+//     and appended to the agent stdio log to aid diagnosis.
+//
+// The attempt log (awf_attempt_log) captures output from the current attempt only;
+// the main log file (logFile) accumulates output across all attempts via tee -a.
+// set +e / set -e wraps the pipeline so ${PIPESTATUS[0]} can be read even when the
+// GitHub Actions default shell uses -e (errexit).
+func buildAWFSquidBootstrapRetry(
+	awfCommand string,
+	expandableArgs string,
+	toolCacheMountRef string,
+	arcDindPrefixArgsRef string,
+	awfArgs []string,
+	shellWrappedCommand string,
+	logFile string,
+) string {
+	escapedLog := shellEscapeArg(logFile)
+	return fmt.Sprintf(
+		`awf_bootstrap_retry_max=2
+awf_bootstrap_retry_attempt=0
+while true; do
+  awf_bootstrap_retry_attempt=$((awf_bootstrap_retry_attempt + 1))
+  awf_attempt_log=$(umask 177 && mktemp "${RUNNER_TEMP:-/tmp}/awf-startup-XXXXXX.log")
+  set +e
+  # shellcheck disable=SC1003
+  %s %s %s %s %s \
+    -- %s 2>&1 | tee "$awf_attempt_log" | tee -a %s
+  awf_exit=${PIPESTATUS[0]}
+  set -e
+  if [[ $awf_exit -eq 0 ]]; then
+    rm -f "$awf_attempt_log"
+    break
+  fi
+  if grep -Fq 'dependency failed to start: container awf-squid is unhealthy' "$awf_attempt_log" \
+     && [[ $awf_bootstrap_retry_attempt -lt $awf_bootstrap_retry_max ]]; then
+    echo "[WARN] AWF bootstrap: awf-squid healthcheck failure on attempt $awf_bootstrap_retry_attempt/$awf_bootstrap_retry_max — retrying in 10s" | tee -a %s
+    rm -f "$awf_attempt_log"
+    sleep 10
+    continue
+  fi
+  if grep -Fq 'dependency failed to start: container awf-squid is unhealthy' "$awf_attempt_log"; then
+    echo "[ERROR] AWF bootstrap: awf-squid healthcheck failure after all attempts — capturing squid container logs" | tee -a %s
+    docker logs awf-squid 2>&1 | tail -200 | sed 's/^/[awf-squid] /' | tee -a %s || true
+  fi
+  rm -f "$awf_attempt_log"
+  exit "$awf_exit"
+done`,
+		awfCommand,
+		expandableArgs,
+		toolCacheMountRef,
+		arcDindPrefixArgsRef,
+		shellJoinArgs(awfArgs),
+		shellWrappedCommand,
+		escapedLog,
+		escapedLog,
+		escapedLog,
+		escapedLog,
+	)
+}
+
 // BuildAWFArgs constructs common AWF arguments from configuration.
 // This extracts the shared AWF argument building logic from engine implementations.
 //

pkg/workflow/testdata/TestWasmGolden_AllEngines/claude.golden

@@ -561,9 +561,35 @@ jobs:
           elif [ -d "/home/runner/work/_tool" ]; then
             GH_AW_TOOL_CACHE_MOUNT="/home/runner/work/_tool:/home/runner/work/_tool:ro"
           fi
-          # shellcheck disable=SC1003
-          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --tty --env-all --exclude-env ANTHROPIC_API_KEY --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
-            -- /bin/bash -c 'set +o histexpand; GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"; export PATH="$(find "$GH_AW_TOOL_CACHE" /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; GH_AW_NPM_GLOBAL_ROOT="$(npm root -g 2>/dev/null || true)"; if [ -n "$GH_AW_NPM_GLOBAL_ROOT" ]; then export NODE_PATH="${GH_AW_NPM_GLOBAL_ROOT}${NODE_PATH:+:${NODE_PATH}}"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/claude_harness.cjs claude --print --no-chrome --allowed-tools '\''Bash,BashOutput,Edit,Edit(/tmp/*),Edit(/tmp/gh-aw/agent/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/*),MultiEdit(/tmp/gh-aw/agent/*),NotebookEdit,NotebookRead,Read,Read(/tmp/*),Read(/tmp/gh-aw/agent/*),Task,TodoWrite,Write,Write(/tmp/*),Write(/tmp/gh-aw/agent/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode acceptEdits --output-format stream-json --mcp-config "${RUNNER_TEMP}/gh-aw/mcp-config/mcp-servers.json" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt${GH_AW_MODEL_DETECTION_CLAUDE:+ --model "$GH_AW_MODEL_DETECTION_CLAUDE"}' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
+          awf_bootstrap_retry_max=2
+          awf_bootstrap_retry_attempt=0
+          while true; do
+            awf_bootstrap_retry_attempt=$((awf_bootstrap_retry_attempt + 1))
+            awf_attempt_log=$(umask 177 && mktemp "${RUNNER_TEMP:-/tmp}/awf-startup-XXXXXX.log")
+            set +e
+            # shellcheck disable=SC1003
+            sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" ${GH_AW_TOOL_CACHE_MOUNT:+--mount "$GH_AW_TOOL_CACHE_MOUNT"} ${GH_AW_DOCKER_HOST_PATH_PREFIX_ARGS} --tty --env-all --exclude-env ANTHROPIC_API_KEY --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
+              -- /bin/bash -c 'set +o histexpand; GH_AW_TOOL_CACHE="${RUNNER_TOOL_CACHE:-/opt/hostedtoolcache}"; export PATH="$(find "$GH_AW_TOOL_CACHE" /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 5 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || true)"; fi; if [ -z "$GH_AW_NODE_EXEC" ]; then echo "node runtime missing on this runner — check runtimes.node in workflow YAML" >&2; exit 127; fi; GH_AW_NPM_GLOBAL_ROOT="$(npm root -g 2>/dev/null || true)"; if [ -n "$GH_AW_NPM_GLOBAL_ROOT" ]; then export NODE_PATH="${GH_AW_NPM_GLOBAL_ROOT}${NODE_PATH:+:${NODE_PATH}}"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/claude_harness.cjs claude --print --no-chrome --allowed-tools '\''Bash,BashOutput,Edit,Edit(/tmp/*),Edit(/tmp/gh-aw/agent/*),ExitPlanMode,Glob,Grep,KillBash,LS,MultiEdit,MultiEdit(/tmp/*),MultiEdit(/tmp/gh-aw/agent/*),NotebookEdit,NotebookRead,Read,Read(/tmp/*),Read(/tmp/gh-aw/agent/*),Task,TodoWrite,Write,Write(/tmp/*),Write(/tmp/gh-aw/agent/*),mcp__github__download_workflow_run_artifact,mcp__github__get_code_scanning_alert,mcp__github__get_commit,mcp__github__get_dependabot_alert,mcp__github__get_discussion,mcp__github__get_discussion_comments,mcp__github__get_file_contents,mcp__github__get_job_logs,mcp__github__get_label,mcp__github__get_latest_release,mcp__github__get_me,mcp__github__get_notification_details,mcp__github__get_pull_request,mcp__github__get_pull_request_comments,mcp__github__get_pull_request_diff,mcp__github__get_pull_request_files,mcp__github__get_pull_request_review_comments,mcp__github__get_pull_request_reviews,mcp__github__get_pull_request_status,mcp__github__get_release_by_tag,mcp__github__get_secret_scanning_alert,mcp__github__get_tag,mcp__github__get_workflow_run,mcp__github__get_workflow_run_logs,mcp__github__get_workflow_run_usage,mcp__github__issue_read,mcp__github__list_branches,mcp__github__list_code_scanning_alerts,mcp__github__list_commits,mcp__github__list_dependabot_alerts,mcp__github__list_discussion_categories,mcp__github__list_discussions,mcp__github__list_issue_types,mcp__github__list_issues,mcp__github__list_label,mcp__github__list_notifications,mcp__github__list_pull_requests,mcp__github__list_releases,mcp__github__list_secret_scanning_alerts,mcp__github__list_starred_repositories,mcp__github__list_tags,mcp__github__list_workflow_jobs,mcp__github__list_workflow_run_artifacts,mcp__github__list_workflow_runs,mcp__github__list_workflows,mcp__github__pull_request_read,mcp__github__search_code,mcp__github__search_issues,mcp__github__search_orgs,mcp__github__search_pull_requests,mcp__github__search_repositories,mcp__github__search_users'\'' --debug-file /tmp/gh-aw/agent-stdio.log --verbose --permission-mode acceptEdits --output-format stream-json --mcp-config "${RUNNER_TEMP}/gh-aw/mcp-config/mcp-servers.json" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt${GH_AW_MODEL_DETECTION_CLAUDE:+ --model "$GH_AW_MODEL_DETECTION_CLAUDE"}' 2>&1 | tee "$awf_attempt_log" | tee -a /tmp/gh-aw/agent-stdio.log
+            awf_exit=${PIPESTATUS[0]}
+            set -e
+            if [[ $awf_exit -eq 0 ]]; then
+              rm -f "$awf_attempt_log"
+              break
+            fi
+            if grep -Fq 'dependency failed to start: container awf-squid is unhealthy' "$awf_attempt_log" \
+               && [[ $awf_bootstrap_retry_attempt -lt $awf_bootstrap_retry_max ]]; then
+              echo "[WARN] AWF bootstrap: awf-squid healthcheck failure on attempt $awf_bootstrap_retry_attempt/$awf_bootstrap_retry_max — retrying in 10s" | tee -a /tmp/gh-aw/agent-stdio.log
+              rm -f "$awf_attempt_log"
+              sleep 10
+              continue
+            fi
+            if grep -Fq 'dependency failed to start: container awf-squid is unhealthy' "$awf_attempt_log"; then
+              echo "[ERROR] AWF bootstrap: awf-squid healthcheck failure after all attempts — capturing squid container logs" | tee -a /tmp/gh-aw/agent-stdio.log
+              docker logs awf-squid 2>&1 | tail -200 | sed 's/^/[awf-squid] /' | tee -a /tmp/gh-aw/agent-stdio.log || true
+            fi
+            rm -f "$awf_attempt_log"
+            exit "$awf_exit"
+          done
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
           BASH_DEFAULT_TIMEOUT_MS: 60000