JavaScript/TypeScript Runtime Support in AWF: Node.js, Bun, and Deno Testing Results

[Mossaka]

Summary

We conducted comprehensive testing of the AWF (Agentic Workflow Firewall) agent container across three JavaScript/TypeScript runtimes: Node.js, Bun, and Deno. This discussion documents our findings, identifies gaps, and provides recommendations for improving runtime support.

Test Methodology

We forked popular open-source repositories for each runtime, initialized them with gh aw init, created agentic workflows with firewall enabled, and monitored the CI agent's ability to build and test each project.

Repositories Tested

Runtime	Repository	Description	Result
Node.js	p-limit	Promise concurrency limiter	✅ Pass
Node.js	clsx	Classnames utility	✅ Pass
Node.js	execa	Process execution	⚠️ Partial (linting conflicts)
Bun	elysia	Bun web framework	✅ Pass
Bun	hono	Web framework	✅ Pass
Deno	std	Deno standard library	❌ Blocked (JSR)
Deno	oak	Deno web framework	❌ Blocked (JSR)

Detailed Findings

Node.js Runtime ✅

Status: Fully Supported

The Node.js runtime works excellently with the AWF agent container:

• ✅ npm install works correctly
• ✅ Test frameworks (ava, uvu, vitest) execute properly
• ✅ Network access to npm registry (registry.npmjs.org) works
• ✅ The node allowed domains profile is comprehensive

Workflow Configuration:

engine:
  id: copilot
  model: claude-sonnet-4

network:
  firewall: true
  allowed:
    - defaults
    - github
    - node

Bun Runtime ✅

Status: Fully Supported

Bun runtime works well, though the runtime binary needs to be installed by the agent:

• ✅ Agent successfully downloads Bun binary from GitHub releases
• ✅ bun install works correctly
• ✅ bun test executes properly
• ✅ The bun profile maps to node ecosystem (includes bun.sh)

Key Observation: The agent container doesn't have Bun pre-installed, but the agent intelligently downloads it from https://github.com/oven-sh/bun/releases/. This works because GitHub domains are allowed.

Deno Runtime ⚠️

Status: Partially Supported - Missing JSR Registry

Deno runtime has a critical gap: the JavaScript Registry (JSR) is not in the allowed domains.

• ✅ Agent successfully downloads Deno binary from GitHub releases
• ✅ Basic Deno commands work (deno eval, deno --version)
• ❌ JSR dependencies fail to download (HTTP 403 from firewall)
• ❌ Most modern Deno projects cannot run tests

Error observed:

error: JSR package manifest for '@std/assert' failed to load. 
Import 'https://jsr.io/@std/assert/meta.json' failed: 
error trying to connect: unsuccessful tunnel

Root Cause: The deno runtime maps to the node ecosystem which includes deno.land but not jsr.io. JSR is Deno's modern package registry.

Issue Created: #12395

Agent Container Capabilities

The AWF agent container demonstrated impressive adaptability:

What Works Well

1. Runtime Installation: Agents successfully download and install missing runtimes (Bun, Deno) from GitHub releases
2. Package Management: npm, bun install work correctly with firewall
3. Test Execution: Test frameworks run properly inside the container
4. Error Recovery: Agents identify issues and attempt workarounds

Observed Challenges

1. Integration Tests: Tests that spin up localhost servers may fail because the firewall blocks internal HTTP connections
2. Missing JSR: Deno projects using JSR packages cannot resolve dependencies
3. Actions Directory Conflicts: The actions/setup/ directory can conflict with project linting rules

Recommendations

Short-term Fixes

1. Add JSR to allowed domains (Add jsr.io to deno network profile allowed domains #12395)
2. Consider localhost exceptions for integration tests

Sample Workflow Configurations

Node.js:

network:
  firewall: true
  allowed: [defaults, github, node]

Bun:

network:
  firewall: true
  allowed: [defaults, github, bun]

Deno (workaround until #12395):

network:
  firewall: true
  allowed: [defaults, github, deno, "jsr.io", "*.jsr.io"]

Conclusion

The AWF agent container provides solid support for Node.js and Bun ecosystems. Deno support is close but blocked by the missing JSR registry. Once #12395 is resolved, all three major JavaScript/TypeScript runtimes should work seamlessly.

Related

• Issue Add jsr.io to deno network profile allowed domains #12395: Add jsr.io to deno network profile
• JSR Documentation