Enable --enable-api-proxy for Claude and Codex engines#15533
Conversation
…proxy image The AWF api-proxy sidecar securely holds LLM API keys and proxies requests through the firewall. It exposes two endpoints: - Port 10000: OpenAI API proxy (for Codex) - Port 10001: Anthropic API proxy (for Claude) Changes: - claude_engine.go: Add --enable-api-proxy to AWF args when firewall is enabled - codex_engine.go: Add --enable-api-proxy to AWF args when firewall is enabled - docker.go: Pre-pull ghcr.io/github/gh-aw-firewall/api-proxy image for Claude and Codex engines (required because --skip-pull is used) - Add unit tests for docker image collection and engine flag generation - Recompile all workflow lock files Fixes the smoke-claude failure where AWF tried to start the api-proxy container but the image wasn't pre-pulled: Container awf-api-proxy Error response from daemon: No such image: ghcr.io/github/gh-aw-firewall/api-proxy:0.16.5 Note: The api-proxy Docker image must also be published to GHCR via the gh-aw-firewall release workflow before smoke tests will pass. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR enables the AWF API proxy feature for Claude and Codex engines to securely manage LLM API keys. The API proxy is a Node.js sidecar container that holds API keys and proxies requests through the firewall, preventing key exposure to agent containers.
Changes:
- Added
--enable-api-proxyflag to Claude and Codex engine AWF commands when firewall is enabled - Updated Docker image collection to include
api-proxycontainer for Claude and Codex engines - Added comprehensive unit tests for flag generation and image collection
- Recompiled all workflow lock files to include api-proxy image downloads and flag usage
- Minor documentation update in agent markdown file
Reviewed changes
Copilot reviewed 51 out of 51 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/docker.go | Added logic to collect api-proxy Docker image for Claude and Codex engines when firewall is enabled |
| pkg/workflow/claude_engine.go | Added --enable-api-proxy flag to AWF command with explanatory comments |
| pkg/workflow/codex_engine.go | Added --enable-api-proxy flag to AWF command with explanatory comments |
| pkg/workflow/enable_api_proxy_test.go | Unit tests verifying flag presence for Claude/Codex and absence for Copilot |
| pkg/workflow/docker_api_proxy_test.go | Unit tests verifying api-proxy image collection for Claude/Codex only |
| .github/workflows/*.lock.yml (43 files) | Recompiled lock files with api-proxy image and --enable-api-proxy flag |
| .github/agents/agentic-workflows.agent.md | Minor comment update for compile command |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
v0.17.0 includes the api-proxy container image in the release pipeline, which is required for --enable-api-proxy to work with --skip-pull. Recompiled all 150 workflow lock files to reference v0.17.0 images. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
🧪 Smoke Temporary ID is now testing temporary ID functionality... |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
❌ Changeset Generator failed. Please review the logs for details. |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🧪 Smoke Project is now testing project operations... |
|
✅ Smoke Temporary ID completed successfully. Temporary ID validation passed. |
Agent Container Tool Check ✅All required development tools are available in the agent container environment.
Result: 12/12 tools available ✅ PASS Smoke test completed successfully - all required development tools are accessible.
|
|
✅ Smoke Project completed successfully. All project operations validated. |
|
🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation... |
|
🎭 The Smoke Test Agent paid a visit! 🤖✨ Just completed a full system check and wanted to say hi to the community. All systems are operational and the coffee machine is running smoothly. ☕️ Stay awesome, everyone! 🚀
|
* Initial plan * Use supportsLLMGateway flag to control api-proxy image and --enable-api-proxy flag - Set Claude engine supportsLLMGateway: true - Set Codex engine supportsLLMGateway: false - Refactor docker.go to check engine's supportsLLMGateway flag instead of hardcoded engine name - Refactor claude_engine.go to conditionally add --enable-api-proxy based on supportsLLMGateway - Add same conditional logic to codex_engine.go for future LLM gateway support - Update tests to verify behavior for all engines Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> * Apply formatting to claude_engine.go --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
❌ Smoke Temporary ID encountered failures. Check the logs for details. |
|
📰 DEVELOPING STORY: Smoke Copilot reports was cancelled. Our correspondents are investigating the incident... |
|
🧪 Smoke Temporary ID is now testing temporary ID functionality... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
❌ Smoke Project encountered failures. Check the logs for details. |
|
✅ Changeset Generator completed successfully! No changeset needed: documentation-only changes |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🧪 Smoke Project is now testing project operations... |
|
✅ Smoke Temporary ID completed successfully. Temporary ID validation passed. |
Agent Container Tool Check ✅All required development tools are available in the agent container:
Result: 12/12 tools available ✅ Status: PASS - All tested tools are accessible and functioning correctly in the agent container environment.
|
|
PRs: #15557 Refactor API proxy to use supportsLLMGateway engine flag
|
|
✅ Smoke Project completed successfully. All project operations validated. |
Smoke Test ResultsStatus: ✅ PASS
Run: §22008679404 cc @Mossaka
|
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
Summary
--enable-api-proxyflag to AWF args when firewall is enabled--enable-api-proxyflag to AWF args when firewall is enabledghcr.io/github/gh-aw-firewall/api-proxy:<version>to thedownload_docker_images.shstep for Claude and Codex workflows (required because--skip-pullis used)Context
PR #15520 attempted to enable the API proxy for Claude but the smoke-claude test failed with:
Root causes:
api-proxyDocker image was not being pre-pulled in theDownload container imagesstep (the compiler'scollectDockerImages()only addedsquidandagentimages)--enable-api-proxyflag was only added for Claude, but the api-proxy sidecar supports both Claude (port 10001, Anthropic API) and Codex (port 10000, OpenAI API)How the API proxy sidecar works
The AWF api-proxy is a Node.js sidecar container that:
http://api-proxy:10000→ OpenAI API (for Codex, injectsAuthorization: Bearer $OPENAI_API_KEY)http://api-proxy:10001→ Anthropic API (for Claude, injectsx-api-key: $ANTHROPIC_API_KEY)OPENAI_BASE_URL/ANTHROPIC_BASE_URLenv vars in the agent containerBlocker
Warning
The
api-proxyDocker image (ghcr.io/github/gh-aw-firewall/api-proxy) has not been published to GHCR yet. Thegh-aw-firewallrelease workflow needs to be updated to build and push this image before smoke tests will pass. Thecontainers/api-proxy/directory already exists in the firewall repo.Test plan
TestCollectDockerImages_APIProxyForClaudeandTestEngineAWFEnableApiProxypkg/workflowtest suite passesapi-proxyimage appears insmoke-claude.lock.ymlandsmoke-codex.lock.ymldownload step--enable-api-proxyflag appears in Claude and Codex AWF commands🤖 Generated with Claude Code