fix: create resolv.conf in chroot when not mounted

[Copilot]

In chroot mode with selective /etc mounts (e.g., PR #545 mounts /etc/hosts but not /etc/resolv.conf), DNS queries fall back to the host's systemd-resolved at 127.0.0.53, which is blocked by iptables. This causes all DNS resolution to fail.

Changes

• Detection: Check if /host/etc/resolv.conf exists before attempting backup
• Creation: When absent, create it from container's /etc/resolv.conf (contains correct AWF nameservers: 127.0.0.11, 8.8.8.8, 8.8.4.4)
• Cleanup: Add RESOLV_CREATED flag; exit trap removes created file (vs. restoring from backup for modified files)

Implementation (containers/agent/entrypoint.sh)

RESOLV_MODIFIED=false
RESOLV_CREATED=false
if [ -f /host/etc/resolv.conf ]; then
  # Existing behavior: backup and replace
  cp /host/etc/resolv.conf "$RESOLV_BACKUP"
  cp /etc/resolv.conf /host/etc/resolv.conf && RESOLV_MODIFIED=true
else
  # New behavior: create from container's DNS config
  cp /etc/resolv.conf /host/etc/resolv.conf && RESOLV_CREATED=true
fi

# Cleanup trap
if [ "$RESOLV_MODIFIED" = "true" ]; then
  CLEANUP_CMD="...; mv '$BACKUP' /etc/resolv.conf"
elif [ "$RESOLV_CREATED" = "true" ]; then
  CLEANUP_CMD="...; rm -f /etc/resolv.conf"
fi

Evidence from smoke-codex logs

• [WARN] Could not backup host resolv.conf, skipping DNS override — file doesn't exist
• 30× error sending request for url (https://api.openai.com/v1/...) — DNS blocked
• MCP servers via host.docker.internal worked — confirms firewall bypass works, DNS is the issue

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.