docs: fix iptables logging references after simplification

[github-actions]

Documentation Sync - March 7–13, 2026

This PR synchronizes documentation with the code changes from commit 5d2ef18 ("fix(docker): simplify to localhost+Squid-only iptables (#1270)").

Changes Made

• AGENTS.md: Corrected the ### iptables Logging section

  • Changed LOG rule source from containers/agent/setup-iptables.sh to src/host-iptables.ts (where FW_BLOCKED_UDP and FW_BLOCKED_OTHER rules actually live, in the DOCKER-USER chain)
  • Removed incorrect line number references (Line 80, Line 95)
  • Removed incorrect --log-uid flag reference (this flag is not used)
  • Removed "PID not directly available (UID can be used for correlation)" note (UID is not logged)
  • Clarified that iptables logs appear on the host kernel log, not inside the container
  • Removed stale src/squid-config.ts:40 line number reference

• docs/logging_quickref.md: Removed outdated DNS query logging section and fixed container dmesg note

  • Removed the entire "DNS Query Logging (Audit Trail)" section — the [FW_DNS_QUERY] log prefix no longer exists anywhere in the codebase
  • Removed the incorrect docker exec awf-agent dmesg | grep FW_BLOCKED command (host DOCKER-USER chain logs are only visible on the host)
  • Added clarification that FW_BLOCKED entries appear in the host kernel log
  • Removed UID=0 from the iptables log example (not logged since --log-uid is not used)

• docs/troubleshooting.md: Removed incorrect container dmesg command

  • Removed docker exec awf-agent dmesg | grep FW_BLOCKED (same reason as above)
  • Added clarification that these are host-level DOCKER-USER chain logs

Code Changes Referenced

• Commit 5d2ef18: "fix(docker): simplify to localhost+Squid-only iptables (fix(docker): simplify to localhost+Squid-only iptables #1270)" — this PR simplified the container-level iptables in setup-iptables.sh. The LOG rules (FW_BLOCKED_UDP, FW_BLOCKED_OTHER) were never in setup-iptables.sh; they exist in src/host-iptables.ts. The FW_DNS_QUERY log prefix was removed entirely.

Verification

• Verified FW_BLOCKED_UDP/FW_BLOCKED_OTHER exist only in src/host-iptables.ts (lines 400, 412)
• Verified FW_DNS_QUERY does not exist anywhere in the codebase
• Verified --log-uid flag is not used in src/host-iptables.ts or containers/agent/setup-iptables.sh
• Verified docker exec awf-agent dmesg cannot show host DOCKER-USER chain kernel logs
• Consistent with existing documentation style

AI generated by Documentation Maintainer

[github-actions]

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit 00d4ea8

[github-actions]

Smoke Test Results — run 23208107287

✅ GitHub MCP — Last 2 merged PRs:

• fix: fix awf-runner timeout detection and no-docker test timeouts #1332: fix: fix awf-runner timeout detection and no-docker test timeouts (by @Copilot)
• fix: route GHEC Copilot proxy to copilot-api subdomain #1331: fix: route GHEC Copilot proxy to copilot-api subdomain (by @Copilot)

✅ Playwright — github.com title contains "GitHub"
✅ File Write — /tmp/gh-aw/agent/smoke-test-copilot-23208107287.txt created
✅ Bash — file verified via cat

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot for issue #1292

[github-actions]

Smoke Test Results ✅ PASS

• ✅ GitHub MCP: [Deps] Safe dependency updates (2026-03-15) #1313 [Deps] Safe dependency updates (2026-03-15), [Deps] Safe dependency updates (2026-03-14) #1297 [Deps] Safe dependency updates (2026-03-14)
• ✅ Playwright: Page title contains "GitHub"
• ✅ File write: /tmp/gh-aw/agent/smoke-test-claude-23208107224.txt created
• ✅ Bash: File verified via cat

💥 [THE END] — Illustrated by Smoke Claude for issue #1292

[github-actions]

🔮 The oracle records this smoke reading.
PR titles: "fix: route GHEC Copilot proxy to copilot-api subdomain" | "fix: fix awf-runner timeout detection and no-docker test timeouts"
GitHub MCP review: ✅
safeinputs-gh PR query: ❌ (tool unavailable in this run)
Playwright title contains "GitHub": ✅
Tavily search: ❌ (tool unavailable in this run)
File write + cat readback: ✅
Discussion oracle comment: ❌ (required discussion-query/additional safe-output action unavailable)
Build (npm ci && npm run build): ✅
Overall status: FAIL

🔮 The oracle has spoken through Smoke Codex

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

• ab.chatgpt.com
• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "ab.chatgpt.com"
    - "registry.npmjs.org"

See Network Configuration for more information.

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #1292 · ◷