feat: mount host filesystem read-only with isolate.sh fallback

[Copilot]

Problem

Host filesystem mounted read-write (/:/host:rw) allows accidental or malicious writes during command execution. Need security hardening while preserving ability to execute host binaries not present in container.

Changes

Mount configuration

• docker-manager.ts: Changed default mount from /:/host:rw → /:/host:ro
• Updates tests to expect read-only mount

Command isolation wrapper

• New isolate.sh script provides transparent host binary fallback:
  1. Check container PATH → execute directly if found
  2. Check /host mount → chroot to host if binary found there
  3. Fall through to bash error handling if neither

Integration

• Dockerfile: Install isolate.sh to /usr/local/bin/
• entrypoint.sh: Wrap all user commands with isolate.sh automatically

Example behavior:

# Container has curl → uses container's curl
awf --allow-domains github.com 'curl https://api.github.com'

# Container lacks terraform → chroots to /host, uses host's terraform
awf --allow-domains example.com 'terraform version'

Security model

• Read-only mount prevents filesystem writes
• chroot provides process isolation for host binaries
• Graceful fallback: no set -e, POSIX-compliant path tests
• Transparent: no CLI changes, backward compatible
• Maintains existing NET_ADMIN drop and non-root execution

Documentation

Updated AGENTS.md with architecture details and types.ts with new default mount mode.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security] Mount host filesystem as read-only with isolate.sh fallback</issue_title>
<issue_description>## Background

PR #394 proposed mounting the host filesystem as read-only for improved security, with an isolate.sh utility to run host binaries via chroot when not available in container PATH.

Proposed Changes

1. Read-only host mount: Change default mount from /:/host:rw to /:/host:ro in docker-manager.ts
2. isolate.sh script: Add to agent container at /usr/local/bin/isolate.sh
   • Falls back to chroot into /host when binary not found in container PATH
   • Handles both absolute paths and relative commands
   • Validates /host exists before chroot attempt
3. Automatic command wrapping: Modify entrypoint.sh to wrap all user commands with isolate.sh

Security Benefits

• Prevents accidental or malicious writes to the host filesystem
• Maintains ability to execute host binaries when needed

---

Issue created from PR #394 during backlog cleanup</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security] Mount host filesystem as read-only with isolate.sh fallback #420

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.