[cli-tools-test] Firewall analysis shows `-` as blocked domain with incorrect allow-list recommendation

[github-actions]

Problem Description

When auditing workflow runs that have firewall-blocked traffic, the audit report sometimes shows a literal - (hyphen) as a blocked domain and generates an incorrect recommendation to add - to the network allow-list.

Tool

• Tool: audit
• Affected run: §24382493929 (Daily CLI Tools Exploratory Tester, 2026-04-14)

Steps to Reproduce

1. Run audit on a workflow run that has firewall-blocked network traffic
2. Observe blocked_domains: ["-"] in the audit output
3. Observe the recommendation:

   network:
     allowed:
       - -

Expected Behavior

• The - placeholder (used for unknown/unresolvable iptables-dropped traffic) should not appear as a blocked domain in the audit report
• The recommendation should only list actionable real domains, not placeholder values

Actual Behavior

The firewall_analysis in the audit output shows:

{
  "blocked_domains": ["-"],
  "requests_by_domain": {
    "-": { "allowed": 0, "blocked": 40 }
  }
}
```

And the recommendation reads:
```
Add the blocked domain(s) to your workflow frontmatter:

network:
  allowed:
    - -

This is nonsensical — - is not a valid domain.

Root Cause

In pkg/cli/firewall_log.go (around line 309–315), when iptables drops traffic before Squid intercepts it, both entry.Domain and entry.DestIPPort are - (log format placeholders). The existing fallback logic correctly tries to use destIPPort when domain is -, but when destIPPort is also -, the - placeholder is used unchanged as the domain key:

// line 312-315
domain := entry.Domain
if domain == "-" && entry.DestIPPort != "-" && entry.DestIPPort != "-:-" {
    domain = entry.DestIPPort
}
// No else branch: domain remains "-"

This - key then propagates to BlockedDomains, and audit_report_analysis.go (line 258–261) includes it verbatim in the network recommendation.

Suggested Fix

Two complementary changes:

1. In firewall_log.go: Skip (or label differently) entries where domain remains - after the fallback:

   if domain == "-" {
       // iptables-blocked with unknown destination; count as blocked
       // but don't add to domain sets (no actionable domain info)
       analysis.BlockedRequests++
       // ... update RequestsByDomain with a sentinel key like "(unknown)"
       continue // or use a sentinel
   }

2. In audit_report_analysis.go: Filter out - (and any (unknown) sentinel) before generating the allow-list recommendation example.

Environment

• Repository: github/gh-aw
• Testing Run ID: §24437954323
• Affected Run ID: §24382493929
• Date: 2026-04-15

Impact

• Severity: Medium — confusing and misleading output; operators may waste time trying to diagnose or allowlist -
• Frequency: Occurs whenever iptables drops traffic before Squid (common in sandboxed runs)
• Workaround: Manually ignore the - entry in the blocked domains list

References:

• §24382493929
• §24436557339
• §24437954323

Generated by Daily CLI Tools Exploratory Tester · ● 2.2M · ◷

• expires on Apr 22, 2026, 5:34 AM UTC