Skip to content

Commit 3191b01

Browse files
Mossakaclaude
andauthored
docs: sync version references and add missing CLI flags (#1223)
- Update Docker image examples from v0.13.0 to latest tag in usage.md - Add dedicated --enable-api-proxy section with examples and link to api-proxy-sidecar.md Note: --allow-full-filesystem-access flag referenced in #836 does not exist in the codebase and was not documented. quickstart.md version was already at 0.18.0 (newer than the 0.16.2 target), so no change needed. Closes #836 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent c8e84e9 commit 3191b01

1 file changed

Lines changed: 38 additions & 5 deletions

File tree

docs/usage.md

Lines changed: 38 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -428,6 +428,35 @@ SSL Bump requires intercepting HTTPS traffic:
428428

429429
For more details, see [SSL Bump documentation](ssl-bump.md).
430430

431+
## API Proxy Sidecar
432+
433+
The `--enable-api-proxy` flag deploys a Node.js proxy sidecar that securely holds LLM API credentials and automatically injects authentication headers. This keeps API keys isolated from the agent container.
434+
435+
```bash
436+
# Enable the API proxy sidecar (reads keys from environment)
437+
sudo awf \
438+
--allow-domains api.openai.com,api.anthropic.com \
439+
--enable-api-proxy \
440+
-- your-agent-command
441+
```
442+
443+
When enabled, the proxy:
444+
- Isolates API keys from the agent container (keys never enter the agent environment)
445+
- Automatically injects Bearer tokens for OpenAI and Anthropic APIs
446+
- Routes all traffic through Squid to respect domain whitelisting
447+
448+
Rate limiting is available with the API proxy:
449+
```bash
450+
sudo awf \
451+
--allow-domains api.openai.com \
452+
--enable-api-proxy \
453+
--rate-limit-rpm 60 \
454+
--rate-limit-rph 1000 \
455+
-- your-agent-command
456+
```
457+
458+
For detailed architecture, credential flow, and configuration, see [API Proxy Sidecar](api-proxy-sidecar.md).
459+
431460
## Agent Image
432461

433462
The `--agent-image` flag controls which agent container image to use. It supports two presets for quick startup, or custom base images for advanced use cases.
@@ -605,12 +634,16 @@ sudo awf --skip-pull --allow-domains github.com -- your-command
605634
**Using Specific Versions:**
606635
```bash
607636
# Pre-download specific version
608-
docker pull ghcr.io/github/gh-aw-firewall/squid:v0.13.0
609-
docker pull ghcr.io/github/gh-aw-firewall/agent:v0.13.0
637+
docker pull ghcr.io/github/gh-aw-firewall/squid:latest
638+
docker pull ghcr.io/github/gh-aw-firewall/agent:latest
639+
640+
# Or pin to a specific version
641+
docker pull ghcr.io/github/gh-aw-firewall/squid:v0.16.2
642+
docker pull ghcr.io/github/gh-aw-firewall/agent:v0.16.2
610643

611-
# Tag as latest for awf to use
612-
docker tag ghcr.io/github/gh-aw-firewall/squid:v0.13.0 ghcr.io/github/gh-aw-firewall/squid:latest
613-
docker tag ghcr.io/github/gh-aw-firewall/agent:v0.13.0 ghcr.io/github/gh-aw-firewall/agent:latest
644+
# Tag a specific version as latest for awf to use
645+
docker tag ghcr.io/github/gh-aw-firewall/squid:v0.16.2 ghcr.io/github/gh-aw-firewall/squid:latest
646+
docker tag ghcr.io/github/gh-aw-firewall/agent:v0.16.2 ghcr.io/github/gh-aw-firewall/agent:latest
614647

615648
# Use with --skip-pull
616649
sudo awf --skip-pull --allow-domains github.com -- your-command

0 commit comments

Comments
 (0)