fix(ci): add BASE_URL environment variables for CODEX api-proxy routing (#802)

* Initial plan

* fix(ci): add BASE_URL environment variables for CODEX api-proxy routing

CODEX was not being directed to use the api-proxy because the
OPENAI_BASE_URL and ANTHROPIC_BASE_URL environment variables were
not explicitly set in the smoke-codex workflow.

While AWF automatically sets these variables when generating the
docker-compose configuration (if API keys are present), explicitly
setting them in the workflow env ensures they are available to the
CODEX agent for routing API calls through the api-proxy sidecar.

This fix adds:
- OPENAI_BASE_URL=http://api-proxy:10000
- ANTHROPIC_BASE_URL=http://api-proxy:10001

to the 'Run Codex' step environment variables.

Fixes job failure in run 63483600453.

* fix(ci): remove API keys from agent env when api-proxy is enabled (#803)

* Initial plan

* fix(ci): remove API keys from agent env when api-proxy is enabled

When api-proxy is enabled (indicated by BASE_URL environment variables),
API keys should NOT be exposed to the agent container for security.
The api-proxy sidecar holds the credentials and injects auth headers.

Previously, the workflow was passing both:
- CODEX_API_KEY and OPENAI_API_KEY (should NOT be in agent env)
- OPENAI_BASE_URL and ANTHROPIC_BASE_URL (should be in agent env)

This defeated the security isolation provided by api-proxy.

Changes:
- Removed CODEX_API_KEY and OPENAI_API_KEY from agent environment block
- Kept OPENAI_BASE_URL and ANTHROPIC_BASE_URL for routing to api-proxy
- The awf CLI still receives keys via `sudo -E` and `--env-all`
- awf passes keys only to api-proxy container, not agent container

Security model:
- awf reads keys from host environment (process.env)
- awf passes keys only to api-proxy sidecar (src/docker-manager.ts:908-909)
- Agent only receives BASE_URL variables (src/docker-manager.ts:948-955)
- api-proxy injects auth headers and routes through Squid

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix(firewall): add api-proxy to allowed domains when enabled (#804)

* Initial plan

* fix(firewall): add api-proxy to allowed domains when enabled

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix(squid): handle bare hostnames without leading dot for api-proxy (#805)

* Initial plan

* fix(squid): handle bare hostnames without leading dot for api-proxy

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix(agent): enable direct api-proxy access and remove api key from env (#807)

* Initial plan

* fix(agent): enable direct api-proxy access and remove api key from env

- Add iptables bypass for api-proxy in setup-iptables.sh
- Pass AWF_ENABLE_API_PROXY env var from docker-manager.ts
- Remove ANTHROPIC_API_KEY from agent env in workflows
- Update postprocess script to strip API key from compiled workflows

Fixes agent->api-proxy connectivity and security vulnerability where
API key was exposed to agent container instead of isolated to api-proxy.

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>

* fix: pass ANTHROPIC_API_KEY to validation in all Claude workflows (#808)

* Initial plan

* fix: pass ANTHROPIC_API_KEY to validation step in smoke-claude workflow

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix: pass ANTHROPIC_API_KEY to validation in all Claude workflows

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix: only enable api-proxy when API keys are provided (#810)

* Initial plan

* fix: only enable api-proxy when API keys are provided

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* feat(workflow): enable api-proxy for smoke-claude workflow

- Add --enable-api-proxy flag to awf command
- Add --anthropic-api-key flag to pass API key to api-proxy sidecar
- Add ANTHROPIC_API_KEY to env block for agent step
- API key is shared with api-proxy, kept out of agent container
- Agent uses ANTHROPIC_BASE_URL to direct requests to api-proxy

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* refactor(workflow): remove redundant --enable-api-proxy flag

The --enable-api-proxy flag defaults to true (src/cli.ts:724), so it
doesn't need to be explicitly specified. The api-proxy sidecar will
automatically deploy when API keys are present.

See docs/api-proxy-sidecar.md:51 which states "The API proxy is
enabled by default and automatically deploys when API keys are present"

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix: remove unknown --anthropic-api-key flag from smoke-claude workflow (#811)

* Initial plan

* fix: remove unknown --anthropic-api-key flag from smoke-claude workflow

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix: use api-proxy IP address instead of hostname for BASE_URL (#813)

* Initial plan

* fix: use api-proxy IP address instead of hostname for BASE_URL

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix: use api-proxy IP address instead of hostname for BASE_URL (#813) (#815)

* Initial plan

* fix: use api-proxy IP address instead of hostname for BASE_URL (#813)

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix(api-proxy): use IP address for API base URLs to avoid DNS issues

In chroot mode, Docker container hostname resolution can fail because
the DNS resolver may not properly reach Docker's embedded DNS. Use the
api-proxy IP address directly (e.g., http://172.30.0.30:10001) instead
of the hostname (http://api-proxy:10001) to eliminate DNS resolution as
a failure point.

Also add test coverage for the host-iptables api-proxy ACCEPT rule.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: exclude API keys from agent when api-proxy is enabled (#814)

* Initial plan

* fix: exclude API keys from agent when api-proxy is enabled

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>

* fix(agent): use AWF_API_PROXY_IP env var for api-proxy iptables rules (#817)

* Initial plan

* fix(agent): use AWF_API_PROXY_IP env var for api-proxy iptables

Move api-proxy iptables rules to use pre-set AWF_API_PROXY_IP environment
variable instead of dynamic hostname resolution, and place FILTER rules in
the correct position (after NAT setup, before final DROP rule).

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* Add debug logging for BASE_URL environment variables in agent container (#816)

* Initial plan

* feat: add debug logging for BASE_URL environment variables

Add logging to display ANTHROPIC_BASE_URL and OPENAI_BASE_URL values
that are set for the agent container. This helps debug configuration
issues when running Claude Code CLI in the workflow.

The logging is added after the Docker Compose config is generated,
showing whether BASE_URL variables are set or using defaults.

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* fix: simplify api-proxy iptables bypass condition (#819)

* Initial plan

* fix: simplify api-proxy iptables bypass condition

The NAT bypass for api-proxy traffic was checking both AWF_ENABLE_API_PROXY
and AWF_API_PROXY_IP, but this was too strict. When the HTTP_PROXY
environment variable is set, HTTP clients will send requests through the
proxy unless NO_PROXY is configured or iptables rules prevent it.

The issue was that the NAT bypass required both flags, causing traffic
to 172.30.0.30 (api-proxy) to be sent through Squid when it should go
directly. Squid then blocked these requests because the IP address wasn't
in the domain whitelist.

The fix simplifies the condition to only check AWF_API_PROXY_IP, matching
the pattern used for the OUTPUT FILTER ACCEPT rules (lines 285-289).
This ensures that when AWF_API_PROXY_IP is set, traffic to that IP
bypasses Squid at the NAT level, preventing HTTP clients from routing
through the proxy regardless of HTTP_PROXY settings.

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

* Initial plan (#818)

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>

* fix: add api-proxy IP to squid allowlist (#820)

* Initial plan

* fix: add api-proxy IP to squid allowlist

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

---------

Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: Landon Cox <landon.cox@microsoft.com>
Co-authored-by: Jiaxiao (mossaka) Zhou <duibao55328@gmail.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 4 people

.github/workflows/secret-digger-claude.lock.yml

@@ -127,11 +127,19 @@ fi
 echo "[iptables] Allow traffic to Squid proxy (${SQUID_IP}:${SQUID_PORT})..."
 iptables -t nat -A OUTPUT -d "$SQUID_IP" -j RETURN
 
-# Allow direct traffic to API proxy sidecar (bypasses Squid)
-# The api-proxy container holds API keys and proxies to LLM APIs through Squid
+# Bypass Squid for api-proxy when API proxy IP is configured.
+# The agent needs to connect directly to api-proxy (not through Squid).
+# The api-proxy then routes outbound traffic through Squid to enforce domain whitelisting.
+# Architecture: agent -> api-proxy (direct) -> Squid -> internet
+# Use AWF_API_PROXY_IP environment variable set by docker-manager (172.30.0.30)
 if [ -n "$AWF_API_PROXY_IP" ]; then
-  echo "[iptables] Allow direct traffic to API proxy sidecar (${AWF_API_PROXY_IP})..."
-  iptables -t nat -A OUTPUT -d "$AWF_API_PROXY_IP" -j RETURN
+  if is_valid_ipv4 "$AWF_API_PROXY_IP"; then
+    echo "[iptables] Allow direct traffic to api-proxy (${AWF_API_PROXY_IP}) - bypassing Squid..."
+    # NAT: skip DNAT to Squid for all traffic to api-proxy
+    iptables -t nat -A OUTPUT -d "$AWF_API_PROXY_IP" -j RETURN
+  else
+    echo "[iptables] WARNING: AWF_API_PROXY_IP has invalid format '${AWF_API_PROXY_IP}', skipping api-proxy bypass"
+  fi
 fi
 
 # Bypass Squid for host.docker.internal when host access is enabled.
@@ -270,9 +278,12 @@ iptables -A OUTPUT -p tcp -d 127.0.0.11 --dport 53 -j ACCEPT
 # Allow traffic to Squid proxy (after NAT redirection)
 iptables -A OUTPUT -p tcp -d "$SQUID_IP" -j ACCEPT
 
-# Allow traffic to API proxy sidecar (ports 10000/10001)
+# Allow traffic to API proxy sidecar (ports 10000 for OpenAI, 10001 for Anthropic)
+# Must be added before the final DROP rule
 if [ -n "$AWF_API_PROXY_IP" ]; then
-  iptables -A OUTPUT -p tcp -d "$AWF_API_PROXY_IP" -j ACCEPT
+  echo "[iptables] Allow traffic to api-proxy (${AWF_API_PROXY_IP}) ports 10000, 10001..."
+  iptables -A OUTPUT -p tcp -d "$AWF_API_PROXY_IP" --dport 10000 -j ACCEPT
+  iptables -A OUTPUT -p tcp -d "$AWF_API_PROXY_IP" --dport 10001 -j ACCEPT
 fi
 
 # Drop all other TCP traffic (default deny policy)

.github/workflows/security-guard.lock.yml

@@ -6,7 +6,7 @@ Node.js-based API proxy that keeps LLM API credentials isolated from the agent c
 
 ```
 Agent Container (172.30.0.20)
-  ↓ HTTP request to api-proxy:10000
+  ↓ HTTP request to 172.30.0.30:10000
 API Proxy Sidecar (172.30.0.30)
   ↓ Injects Authorization header
   ↓ Routes via HTTP_PROXY (172.30.0.10:3128)

.github/workflows/smoke-claude.lock.yml

@@ -26,9 +26,9 @@ When enabled, the API proxy sidecar:
 │         │  │      Agent Container         │    │
 │         │  │      172.30.0.20             │    │
 │         │  │  OPENAI_BASE_URL=            │    │
-│         │  │    http://api-proxy:10000    │────┘
+│         │  │    http://172.30.0.30:10000  │────┘
 │         │  │  ANTHROPIC_BASE_URL=         │
-│         │  │    http://api-proxy:10001    │
+│         │  │    http://172.30.0.30:10001  │
 │         │  └──────────────────────────────┘
 │         │
 └─────────┼─────────────────────────────────────┘
@@ -38,7 +38,7 @@ When enabled, the API proxy sidecar:
 ```
 
 **Traffic Flow:**
-1. Agent makes request to `api-proxy:10000` or `api-proxy:10001`
+1. Agent makes request to `172.30.0.30:10000` or `172.30.0.30:10001`
 2. API proxy injects authentication headers
 3. API proxy routes through Squid via HTTP_PROXY/HTTPS_PROXY
 4. Squid enforces domain whitelist (only allowed domains pass)
@@ -82,7 +82,7 @@ awf --enable-api-proxy \
   -- npx @openai/codex -p "write a hello world function"
 ```
 
-The agent container will automatically use `http://api-proxy:10000` as the base URL.
+The agent container will automatically use `http://172.30.0.30:10000` as the base URL.
 
 ### Claude Code Example
 
@@ -94,7 +94,7 @@ awf --enable-api-proxy \
   -- claude-code "write a hello world function"
 ```
 
-The agent container will automatically use `http://api-proxy:10001` as the base URL.
+The agent container will automatically use `http://172.30.0.30:10001` as the base URL.
 
 ### Both Providers
 
@@ -113,8 +113,8 @@ When API keys are provided, the sidecar sets these environment variables in the
 
 | Variable | Value | When Set | Description |
 |----------|-------|----------|-------------|
-| `OPENAI_BASE_URL` | `http://api-proxy:10000` | When `OPENAI_API_KEY` is provided | OpenAI API proxy endpoint |
-| `ANTHROPIC_BASE_URL` | `http://api-proxy:10001` | When `ANTHROPIC_API_KEY` is provided | Anthropic API proxy endpoint |
+| `OPENAI_BASE_URL` | `http://172.30.0.30:10000` | When `OPENAI_API_KEY` is provided | OpenAI API proxy endpoint |
+| `ANTHROPIC_BASE_URL` | `http://172.30.0.30:10001` | When `ANTHROPIC_API_KEY` is provided | Anthropic API proxy endpoint |
 
 These are standard environment variables recognized by:
 - OpenAI Python SDK
@@ -164,7 +164,7 @@ When API keys are present (or `--enable-api-proxy` is explicitly set):
 
 ```
 Agent Code
-  ↓ (makes HTTP request to api-proxy:10000)
+  ↓ (makes HTTP request to 172.30.0.30:10000)
 Node.js API Proxy
   ↓ (injects Authorization: Bearer $OPENAI_API_KEY)
   ↓ (routes via HTTP_PROXY to Squid)

.github/workflows/smoke-codex.lock.yml

@@ -94,6 +94,11 @@ const shallowDepthRegex = /^(\s+)depth: 1\n/gm;
 // instead of pre-built GHCR images that may be stale.
 const imageTagRegex = /--image-tag\s+[0-9.]+\s+--skip-pull/g;
 
+// Remove ANTHROPIC_API_KEY from agent environment (security: API key should only be in api-proxy sidecar)
+// The API key is passed to the api-proxy container by awf CLI when --enable-api-proxy is set.
+// Match the env key + value line with any indentation
+const anthropicApiKeyRegex = /^(\s*)ANTHROPIC_API_KEY:\s+\$\{\{\s*secrets\.ANTHROPIC_API_KEY\s*\}\}\n/gm;
+
 for (const workflowPath of workflowPaths) {
   let content = fs.readFileSync(workflowPath, 'utf-8');
   let modified = false;
@@ -139,6 +144,14 @@ for (const workflowPath of workflowPaths) {
     console.log(`  Replaced ${imageTagMatches.length} --image-tag/--skip-pull with --build-local`);
   }
 
+  // Remove ANTHROPIC_API_KEY from agent environment (security issue: key should only be in api-proxy)
+  const apiKeyMatches = content.match(anthropicApiKeyRegex);
+  if (apiKeyMatches) {
+    content = content.replace(anthropicApiKeyRegex, '');
+    modified = true;
+    console.log(`  Removed ${apiKeyMatches.length} ANTHROPIC_API_KEY env var(s) from agent`);
+  }
+
   if (modified) {
     fs.writeFileSync(workflowPath, content);
     console.log(`Updated ${workflowPath}`);