docs: update architecture docs with three-component overview#1340
docs: update architecture docs with three-component overview#1340
Conversation
- Rewrite CLAUDE.md/AGENTS.md project overview to accurately describe the three-container architecture (Squid, Agent, API Proxy sidecar) - Add "Three Container Components" section with IPs, roles, and required-vs-optional status for each container - Fix outdated iptables description: setup now runs in a separate awf-iptables-init init container, not inside the agent entrypoint - Document that squid.conf is injected via AWF_SQUID_CONFIG_B64 env var (not a file bind mount) to support Docker-in-Docker - Add API Proxy Sidecar as a documented third component - Update traffic flow diagram to show full lifecycle including init container, optional API proxy path, and cleanup - Make AGENTS.md a symlink to CLAUDE.md so all agents share the same docs - Rewrite README "What it does" → "How it works" with concise three-container description for public-facing clarity Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates project documentation to describe the current three-container runtime architecture (Squid proxy, Agent, optional API proxy sidecar) and consolidates agent guidance by making AGENTS.md point to CLAUDE.md.
Changes:
- Rewrite README “How it works” section to summarize the 3-container model and roles.
- Expand
CLAUDE.mdarchitecture overview with container roles, static IPs, and updated operational details (iptables init container, Squid config injection). - Replace
AGENTS.mdcontent with a pointer/symlink toCLAUDE.mdto keep agent guidance in one place.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| README.md | Updates top-level “How it works” explanation to a 3-container summary. |
| CLAUDE.md | Rewrites architecture section to document the three-component design and updated implementation details. |
| AGENTS.md | Converts to a pointer/symlink targetting CLAUDE.md for a single source of agent guidance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
CLAUDE.md
Outdated
| - Config passed via `AWF_SQUID_CONFIG_B64` env var (base64-encoded); entrypoint decodes to `/etc/squid/squid.conf` | ||
| - **Why base64?** Docker-in-Docker: the Docker daemon cannot access host filesystem paths, so file bind mounts don't work. See memory notes on DinD issue. | ||
| - Exposes port 3128 for proxy traffic (intercept mode — no HTTP_PROXY env var needed in agent) |
There was a problem hiding this comment.
Fixed in subsequent commits: CLAUDE.md now describes Squid as a standard forward proxy (http_port 3128, not intercept mode), with HTTP_PROXY/HTTPS_PROXY always set in the agent environment. The iptables DNAT on ports 80/443 is described as a defense-in-depth fallback for proxy-unaware tools.
CLAUDE.md
Outdated
| 1. `setup-iptables.sh`: Configures iptables NAT rules to redirect HTTP/HTTPS traffic to Squid (agent container only) | ||
| 2. `entrypoint.sh`: Drops NET_ADMIN capability, then executes user command as non-root user | ||
| - Based on `ubuntu:22.04`; can also use GitHub Actions parity image (`act` preset) | ||
| - Mounts entire host filesystem at `/host` (read-only) + writable volume at `/host$HOME` |
There was a problem hiding this comment.
Fixed: the "entire host filesystem" wording has been replaced with an accurate description of the selective bind mount model — system binaries (/usr, /bin, /sbin, /lib, /lib64, /opt, /sys, /dev) read-only; workspace and /tmp read-write; empty home volume with only whitelisted $HOME subdirs (.cache, .config, .local, .anthropic, .claude, .cargo, .rustup, .npm, .copilot); select /etc files — not /etc/shadow.
README.md
Outdated
| - **API Proxy Sidecar**: Optional Node.js-based proxy for secure LLM API credential management (OpenAI Codex, Anthropic Claude) that routes through Squid | ||
| `awf` runs three Docker containers for each invocation: | ||
|
|
||
| - **Squid proxy** — enforces domain allowlist filtering; all HTTP/HTTPS traffic is transparently redirected here via iptables DNAT |
There was a problem hiding this comment.
Fixed: README now says iptables DNAT rules redirect port 80/443 traffic that bypasses proxy env vars to Squid, and the description makes clear that HTTPS_PROXY/HTTP_PROXY env vars are the primary path (with DNAT as enforcement/fallback).
README.md
Outdated
| # Agentic Workflow Firewall | ||
|
|
||
| A network firewall for agentic workflows with domain whitelisting. This tool provides L7 (HTTP/HTTPS) egress control using [Squid proxy](https://www.squid-cache.org/) and Docker containers, restricting network access to a whitelist of approved domains for AI agents and their MCP servers. | ||
| A network firewall for agentic workflows. `awf` wraps any command in a Docker-based sandbox that enforces L7 (HTTP/HTTPS) domain whitelisting via [Squid proxy](https://www.squid-cache.org/), while giving the agent transparent access to the host filesystem. |
There was a problem hiding this comment.
Fixed: "transparent access to the host filesystem" replaced in both the README and CLAUDE.md overview. The README now says "access to the host workspace and selected system paths via selective bind mounts", and CLAUDE.md enumerates the exact mount list.
HTTPS uses HTTPS_PROXY env var (explicit CONNECT method). HTTP falls through to iptables DNAT since lowercase http_proxy is intentionally not set (httpoxy mitigation on Ubuntu 22.04). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…TLS error Squid is a forward proxy; HTTPS without HTTPS_PROXY hits Squid via iptables DNAT but the TLS handshake fails (Squid expects CONNECT). Traffic is still blocked, just with a connection error not a 403. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… host FS The agent uses granular bind mounts (system binaries ro, workspace rw, whitelisted HOME subdirs rw) not a blanket host filesystem mount. Sensitive paths like /etc/shadow and non-whitelisted home dirs are excluded. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Expand selective bind mounts list to include all mounted paths: /sbin, /lib64, /sys, /dev, /tmp, .anthropic, .rustup, group, nsswitch.conf, ld.so.cache, alternatives - Fix "transparent proxy, no HTTP_PROXY env needed" — HTTP_PROXY and HTTPS_PROXY are always set; iptables DNAT is defense-in-depth fallback - Fix API proxy port notation "10000–10002" → "10000, 10001, 10002, 10004" (discrete ports, 10003 is never bound) - Clarify port 10001 example is Anthropic-specific, not the generic sidecar address - Fix README "iptables rules block" → "redirect" (DNAT redirects to Squid, not a flat block) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…view Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Smoke Test Results — Run 23216067932 ✅ GitHub MCP — Last 2 merged PRs:
✅ Playwright — Overall: PASS
|
Smoke Test Results✅ GitHub MCP: #1340 docs: update architecture docs with three-component overview / #1066 feat(proxy): add token-based rate limiting via response parsing Overall: PASS
|
This comment has been minimized.
This comment has been minimized.
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
|
🔮 The ancient spirits stir; the smoke test agent has walked these halls.
Warning
|
Summary
CLAUDE.md/AGENTS.mdproject overview to accurately describe the three-container architecture (Squid proxy, Agent, API Proxy sidecar)awf-iptables-initinit container (not inside the agent entrypoint)squid.confis injected viaAWF_SQUID_CONFIG_B64env var (not a file bind mount) to support Docker-in-DockerAGENTS.mda symlink toCLAUDE.mdso all coding agents read the same, up-to-date guidanceTest plan
AGENTS.mdsymlink resolves correctly:readlink AGENTS.md→CLAUDE.md🤖 Generated with Claude Code