feat: group --help flags by category, hide dev-only options

[Mossaka]

Summary

• Upgrade commander.js v12 → v14 for optionsGroup() support
• Organize 24 CLI flags into 6 logical groups: Domain Filtering, Container, Images, Network, HTTPS Inspection, Logging & Debug
• Hide --build-local and --allow-full-filesystem-access from --help (both still work when passed — no breaking change)
• Shorten verbose multi-line descriptions to 1-line each
• Add scripts/build-images.sh as recommended dev workflow for local image builds

Before

Flat list of 24 flags, hard to scan.

After

Domain Filtering:
  --allow-domains <domains>     Allowed domains (comma-separated, supports wildcards and protocol prefixes)
  --allow-domains-file <path>   Read allowed domains from file (one per line or comma-separated)
  --block-domains <domains>     Blocked domains (overrides allowed, supports wildcards)
  --block-domains-file <path>   Read blocked domains from file (one per line or comma-separated)

Container:
  -e, --env <KEY=VALUE>         Environment variable (repeatable)
  --env-all                     Pass all host environment variables
  -v, --mount <src:dst[:mode]>  Volume mount (repeatable, format: host:container[:ro|rw])
  --container-workdir <dir>     Working directory inside the container
  --tty                         Allocate pseudo-TTY for interactive tools

Images:
  --image-tag <tag>             Container image tag (default: "latest")
  --image-registry <registry>   Container image registry
  --agent-image <value>         Agent image preset: default (~200MB) or act (~2GB)
  --skip-pull                   Use local images without pulling

Network:
  --dns-servers <servers>       Trusted DNS servers (comma-separated)
  --enable-host-access          Allow access to host via host.docker.internal
  --allow-host-ports <ports>    Allowed ports for host access

HTTPS Inspection:
  --ssl-bump                    Enable SSL Bump for HTTPS content inspection
  --allow-urls <urls>           Allowed URL patterns (requires --ssl-bump)
  --enable-api-proxy            Enable API proxy sidecar for credentials injection

Logging & Debug:
  --log-level <level>           Log level: debug, info, warn, error (default: "info")
  --keep-containers             Keep containers after exit for debugging
  --proxy-logs-dir <path>       Directory for Squid proxy logs
  --work-dir <dir>              Working directory for temporary files

Test plan

• npm run build compiles cleanly
• npm test — all 800 tests pass
• npm run lint — 0 errors
• node dist/cli.js --help shows grouped layout
• Hidden flags (--build-local, --allow-full-filesystem-access) still parse correctly when used
• CI passes (build, lint, unit tests, integration tests)

🤖 Generated with Claude Code

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	82.39%	82.54%	📈 +0.15%
Statements	82.32%	82.46%	📈 +0.14%
Functions	82.74%	82.74%	➡️ +0.00%
Branches	74.55%	74.65%	📈 +0.10%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	83.6% → 84.1% (+0.56%)	82.8% → 83.4% (+0.54%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR removes the Gemini smoke test workflow from the repository, deleting both the workflow definition (.md) and compiled workflow (.lock.yml) files.

Critical Issue: The PR title and description describe an entirely different set of changes (upgrading commander.js v12→v14, organizing CLI flags into groups, hiding dev-only options, and adding scripts/build-images.sh). None of these described changes are present in the actual diff. This appears to be a case of the wrong PR description being attached to these changes, or the wrong changes being committed to this PR.

Changes:

• Delete .github/workflows/smoke-gemini.md (102-line workflow definition)
• Delete .github/workflows/smoke-gemini.lock.yml (1816-line compiled workflow)

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/smoke-gemini.md	Deleted entire Gemini smoke test workflow definition
.github/workflows/smoke-gemini.lock.yml	Deleted entire compiled Gemini smoke test workflow (auto-generated by gh-aw v0.47.0)

Comments suppressed due to low confidence (1)

.github/workflows/smoke-gemini.md:1

• Critical discrepancy: The PR description describes upgrading commander.js from v12 to v14, organizing CLI flags into 6 groups, hiding dev-only options, shortening descriptions, and adding scripts/build-images.sh. However, the actual changes in this PR only delete the smoke-gemini workflow files. This appears to be the wrong PR description, or the wrong set of changes were committed. Please verify this is the intended change set before merging.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Deno Build Test Results

Project	Tests	Status
oak	1/1	✅ PASS
std	1/1	✅ PASS

Overall: ✅ PASS

Generated by Build Test Deno for issue #1035

[github-actions]

🤖 Smoke test results for PR #1035 (@Mossaka):

Last 2 merged PRs:

• chore: remove smoke-gemini workflow #1033 "chore: remove smoke-gemini workflow"
• fix: always set NO_PROXY to bypass Squid for localhost #1032 "fix: always set NO_PROXY to bypass Squid for localhost"

Test	Result
✅ GitHub MCP	PRs retrieved
✅ Playwright	Page title contains "GitHub"
✅ File write	/tmp/gh-aw/agent/smoke-test-copilot-22411132047.txt created
✅ Bash verify	File content confirmed

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot for issue #1035

[github-actions]

Build Test: Bun Results ✅

Project	Install	Tests	Status
elysia	✅	1/1	PASS
hono	✅	1/1	PASS

Overall: PASS

Bun version: 1.3.9

Generated by Build Test Bun for issue #1035

[github-actions]

Build Test: Node.js Results

Project	Install	Tests	Status
clsx	✅	PASS	✅ PASS
execa	✅	PASS	✅ PASS
p-limit	✅	PASS	✅ PASS

Overall: ✅ PASS

Generated by Build Test Node.js for issue #1035

[github-actions]

Smoke Test Results — PASS

• ✅ GitHub MCP: chore: remove smoke-gemini workflow #1033 chore: remove smoke-gemini workflow, fix: always set NO_PROXY to bypass Squid for localhost #1032 fix: always set NO_PROXY to bypass Squid for localhost
• ✅ Playwright: github.com title contains "GitHub"
• ✅ File write: /tmp/gh-aw/agent/smoke-test-claude-22411132006.txt created
• ✅ Bash verify: file contents confirmed

💥 [THE END] — Illustrated by Smoke Claude for issue #1035

[github-actions]

Go Build Test Results ✅

Project	Download	Tests	Status
color	✅	1/1	PASS
env	✅	1/1	PASS
uuid	✅	1/1	PASS

Overall: PASS

Generated by Build Test Go for issue #1035

[github-actions]

.NET Build Test Results

Project	Restore	Build	Run	Status
hello-world	✅	✅	✅	PASS
json-parse	✅	✅	✅	PASS

Overall: PASS

Run output

hello-world:

Hello, World!
```

**json-parse:**
```
{
  "Name": "AWF Test",
  "Version": 1,
  "Success": true
}
Name: AWF Test, Success: True

Generated by Build Test .NET for issue #1035

[github-actions]

Rust Build Test Results

Project	Build	Tests	Status
fd	✅	1/1	PASS
zoxide	✅	1/1	PASS

Overall: PASS ✅

Generated by Build Test Rust for issue #1035

[github-actions]

C++ Build Test Results

Project	CMake	Build	Status
fmt	✅	✅	PASS
json	✅	✅	PASS

Overall: PASS ✅

Generated by Build Test C++ for issue #1035

[github-actions]

☕ Java Build Test Results

Project	Compile	Tests	Status
gson	✅	1/1	PASS
caffeine	✅	1/1	PASS

Overall: ✅ PASS

All Java projects compiled and tested successfully via Maven through the AWF proxy.

Generated by Build Test Java for issue #1035

[github-actions]

Merged PRs: chore: remove smoke-gemini workflow
Merged PRs: fix: always set NO_PROXY to bypass Squid for localhost
Test1 GitHub MCP review: OK
Test2 safeinputs-gh PR list: OK
Test3 Playwright title check: OK
Test4 Tavily search: FAIL (tool missing)
Test5 File write: OK
Test6 Bash cat: OK
Test7 Discussion comment: OK
Test8 Build: OK | Overall: FAIL

🔮 The oracle has spoken through Smoke Codex for issue #1035