Summary
The CLI reference contains several inaccuracies that should be corrected.
Inaccuracies
1. --dns-servers default is wrong
2. --keep-containers cleanup note references wrong container name
- Docs say:
docker stop awf-squid awf-copilot
- Actual: Container is named
awf-agent, not awf-copilot
3. --mount default mounts description is misleading
- Docs say: "host filesystem at
/host (read-only)"
- Actual: AWF uses selective bind mounts, not a blanket host FS mount. System binaries (
/usr, /bin, /sbin, /lib, /lib64, /opt, /sys, /dev) are mounted read-only; workspace and /tmp read-write; whitelisted $HOME subdirs read-write; select /etc files only (not /etc/shadow).
4. --allow-host-ports default description is outdated
- Docs say: "Current default allows all ports (future versions will default to 80,443)"
- Actual: Default is already
80,443 in the current code.
Summary
The CLI reference contains several inaccuracies that should be corrected.
Inaccuracies
1.
--dns-serversdefault is wrong8.8.8.8,8.8.4.4(hardcoded Google DNS)detectHostDnsServers()(added in PR feat: auto-detect host DNS resolvers instead of hardcoding Google DNS #1513). Falls back to Google DNS only if detection fails.2.
--keep-containerscleanup note references wrong container namedocker stop awf-squid awf-copilotawf-agent, notawf-copilot3.
--mountdefault mounts description is misleading/host(read-only)"/usr,/bin,/sbin,/lib,/lib64,/opt,/sys,/dev) are mounted read-only; workspace and/tmpread-write; whitelisted$HOMEsubdirs read-write; select/etcfiles only (not/etc/shadow).4.
--allow-host-portsdefault description is outdated80,443in the current code.