You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"description": "AWF platform.type override. Declares the GitHub deployment type so AWF can apply deterministic Copilot auth behavior without relying on host heuristics. Omit to let AWF use its default host heuristic behavior."
3259
3259
},
3260
+
"network-isolation": {
3261
+
"type": "boolean",
3262
+
"description": "Enable AWF network topology egress mode (--network-isolation). In this mode, MCP sidecars run as bridge containers and AWF attaches them to its internal awf-net network."
awfHelpersLog.Print("Skipping host-access flags: sandbox.agent.network-isolation is enabled")
631
616
} else {
632
-
awfHelpersLog.Printf("Skipping --allow-host-ports: AWF version %q requires at least %s", getAWFImageTag(firewallConfig), constants.AWFAllowHostPortsMinVersion)
617
+
// Always add --enable-host-access: needed for the API proxy sidecar
618
+
// (to reach host.docker.internal:<port>) and for MCP gateway communication
619
+
awfArgs=append(awfArgs, "--enable-host-access")
620
+
awfHelpersLog.Print("Added --enable-host-access for API proxy and MCP gateway")
621
+
622
+
// AWF's --enable-host-access defaults to ports 80,443. The MCP gateway now
623
+
// listens on port 8080 (non-privileged), so we must explicitly allow it
awfHelpersLog.Printf("Added --allow-host-ports %s for MCP gateway access", hostPorts)
634
+
} else {
635
+
awfHelpersLog.Printf("Skipping --allow-host-ports: AWF version %q requires at least %s", getAWFImageTag(firewallConfig), constants.AWFAllowHostPortsMinVersion)
636
+
}
633
637
}
634
638
635
639
// Skip pulling images since they are pre-downloaded
0 commit comments