Skip to content

[WIP] Enable --enable-api-proxy for Claude and Codex engines #15550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 2 commits into from
Feb 14, 2026
Merged

[WIP] Enable --enable-api-proxy for Claude and Codex engines #15550

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
cb8ec3e
Initial plan
Copilot Feb 14, 2026
b718e30
Revert Codex API proxy changes
Copilot Feb 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/changeset.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions .github/workflows/codex-github-remote-mcp-test.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions .github/workflows/smoke-codex.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 0 additions & 6 deletions pkg/workflow/codex_engine.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -247,12 +247,6 @@ func (e *CodexEngine) GetExecutionSteps(workflowData *WorkflowData, logFile stri
awfArgs = append(awfArgs, "--skip-pull")
codexEngineLog.Print("Using --skip-pull since images are pre-downloaded")

// Enable API proxy sidecar for secure credential management
// The api-proxy container holds the OPENAI_API_KEY and proxies
// requests to api.openai.com through the firewall
awfArgs = append(awfArgs, "--enable-api-proxy")
codexEngineLog.Print("Added --enable-api-proxy for Codex API proxying")

// Note: No --tty flag for Codex (it's not a TUI, it outputs to stdout/stderr)

// Add SSL Bump support for HTTPS content inspection (v0.9.0+)
Comment on lines 247 to 252
Copy link

Copilot AI Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR title says enabling --enable-api-proxy for Claude and Codex, but this change removes --enable-api-proxy from the Codex engine. Please align the PR title/description with the actual change (either update the title to reflect reverting Codex support, or reintroduce Codex support if that’s the intent).

Copilot uses AI. Check for mistakes.
Expand Down
3 changes: 1 addition & 2 deletions pkg/workflow/docker.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,9 +107,8 @@ func collectDockerImages(tools map[string]any, workflowData *WorkflowData, actio

// Add api-proxy sidecar container for engines that use --enable-api-proxy
// The api-proxy holds LLM API keys securely and proxies requests through Squid:
// - Port 10000: OpenAI API proxy (for Codex)
// - Port 10001: Anthropic API proxy (for Claude)
if workflowData != nil && (workflowData.AI == "claude" || workflowData.AI == "codex") {
if workflowData != nil && workflowData.AI == "claude" {
apiProxyImage := constants.DefaultFirewallRegistry + "/api-proxy:" + awfImageTag
Comment on lines 108 to 112
Copy link

Copilot AI Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment higher up in this function still says the api-proxy container is “for Claude/Codex”, but the condition now only adds api-proxy when workflowData.AI == "claude". Update the surrounding comment text to avoid misleading future maintainers about which engines require the api-proxy sidecar.

Copilot uses AI. Check for mistakes.
if !imageSet[apiProxyImage] {
images = append(images, apiProxyImage)
Expand Down
5 changes: 0 additions & 5 deletions pkg/workflow/docker_api_proxy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,6 @@ func TestCollectDockerImages_APIProxyForClaude(t *testing.T) {
engine: "claude",
expectAPIProxy: true,
},
{
name: "Codex engine includes api-proxy image",
engine: "codex",
expectAPIProxy: true,
},
{
name: "Copilot engine does not include api-proxy image",
engine: "copilot",
Expand Down
29 changes: 1 addition & 28 deletions pkg/workflow/enable_api_proxy_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import (
"testing"
)

// TestEngineAWFEnableApiProxy tests that Claude and Codex engines include --enable-api-proxy
// TestEngineAWFEnableApiProxy tests that Claude engine includes --enable-api-proxy
// in AWF commands, while Copilot does not.
func TestEngineAWFEnableApiProxy(t *testing.T) {
t.Run("Claude AWF command includes enable-api-proxy flag", func(t *testing.T) {
Expand Down Expand Up @@ -35,33 +35,6 @@ func TestEngineAWFEnableApiProxy(t *testing.T) {
}
})

Copy link

Copilot AI Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Codex case was removed here, but there’s no remaining assertion that Codex does not include --enable-api-proxy. Since the Codex engine behavior changed in this PR, add a negative Codex test to prevent regressions (similar to the Copilot assertion).

Suggested change
t.Run("Codex AWF command does not include enable-api-proxy flag", func(t *testing.T) {
workflowData := &WorkflowData{
Name: "test-workflow",
EngineConfig: &EngineConfig{
ID: "codex",
},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{
Enabled: true,
},
},
}
engine := NewCodexEngine()
steps := engine.GetExecutionSteps(workflowData, "test.log")
if len(steps) == 0 {
t.Fatal("Expected at least one execution step")
}
stepContent := strings.Join(steps[0], "\n")
if strings.Contains(stepContent, "--enable-api-proxy") {
t.Error("Expected Codex AWF command to NOT contain '--enable-api-proxy' flag")
}
})

Copilot uses AI. Check for mistakes.
t.Run("Codex AWF command includes enable-api-proxy flag", func(t *testing.T) {
workflowData := &WorkflowData{
Name: "test-workflow",
EngineConfig: &EngineConfig{
ID: "codex",
},
NetworkPermissions: &NetworkPermissions{
Firewall: &FirewallConfig{
Enabled: true,
},
},
}

engine := NewCodexEngine()
steps := engine.GetExecutionSteps(workflowData, "test.log")

if len(steps) == 0 {
t.Fatal("Expected at least one execution step")
}

stepContent := strings.Join(steps[0], "\n")

if !strings.Contains(stepContent, "--enable-api-proxy") {
t.Error("Expected Codex AWF command to contain '--enable-api-proxy' flag")
}
})

t.Run("Copilot AWF command does not include enable-api-proxy flag", func(t *testing.T) {
workflowData := &WorkflowData{
Name: "test-workflow",
Expand Down