Home > Uncategorized > gh-aw-firewall

gh-aw-firewall

GitHub Agentic Workflows Firewall

agentic github typescript workflows

Why this rank:Strong adoptionRecent releaseHealthy release cadence

Description

GitHub Agentic Workflows Firewall

README

Agentic Workflow Firewall

A network firewall for agentic workflows that restricts outbound HTTP/HTTPS to an allowlist of domains.

Tip

This project is a part of GitHub's explorations of Agentic Workflows. For more background, check out the project page! ✨

How it works

awf runs your command inside a Docker sandbox with three containers:

Squid proxy — filters outbound traffic by domain allowlist
Agent — runs your command; all HTTP/HTTPS is routed through Squid
API proxy sidecar (optional) — holds LLM API keys so they never reach the agent process

Requirements

Docker: 20.10+ with Docker Compose v2
Node.js: 20.19.0+ (for building from source)
OS: Ubuntu 22.04+ or compatible Linux distribution

See Compatibility for full details on supported versions and tested configurations.

Get started fast

curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo bash
sudo awf --allow-domains github.com -- curl https://api.github.com

The -- separator divides firewall options from the command to run.

Explore the docs

Quick start — install, verify, and run your first command
Usage guide — CLI flags, domain allowlists, examples
AWF config schema — machine-readable JSON Schema for JSON/YAML configs
AWF config spec — normative processing and precedence rules for tooling/compiler integration
Enterprise configuration — GitHub Enterprise Cloud and Server setup
Chroot mode — use host binaries with network isolation
API proxy sidecar — secure credential management for LLM APIs
Authentication architecture — deep dive into token handling and credential isolation
SSL Bump — HTTPS content inspection for URL path filtering
GitHub Actions — CI/CD integration and MCP server setup
Environment variables — passing environment variables to containers
Logging quick reference and Squid log filtering — view and filter traffic
Security model — what the firewall protects and how
Architecture — how Squid, Docker, and iptables fit together
Compatibility — supported Node.js, OS, and Docker versions
Troubleshooting — common issues and fixes
Image verification — cosign signature verification

Development

Install dependencies: npm install
Run tests: npm test
Build: npm run build

Contributing

Contributions welcome! Please see CONTRIBUTING.md for guidelines.

License

MIT

Release History

Version	Changes	Urgency	Date
v0.25.65	<!-- Release notes generated using configuration in .github/release.yml at v0.25.65 --> Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.25.64...v0.25.65 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args Command and arguments to execute (use -- to separate from options) Options: -V, --version out	High	6/5/2026
v0.25.58	<!-- Release notes generated using configuration in .github/release.yml at v0.25.58 --> ## What's Changed ### Other Changes * feat(api-proxy): pre-startup model validation via requestedModel config by @lpcox in https://github.com/github/gh-aw-firewall/pull/4025 * fix: synthesize identity files for ARC-DinD environments by @lpcox in https://github.com/github/gh-aw-firewall/pull/4026 * Refactor retry-logic tests to centralize shared HTTPS/stdout mocks by @Copilot in https://github.com/github/gh-	High	5/30/2026
v0.25.56	<!-- Release notes generated using configuration in .github/release.yml at v0.25.56 --> ## What's Changed ### Other Changes * Filter unresolvable model aliases from /reflect and models.json by @Copilot in https://github.com/github/gh-aw-firewall/pull/3803 * fix(api-proxy): prevent stream_options injection into OpenAI Responses API requests by @Copilot in https://github.com/github/gh-aw-firewall/pull/3805 * Refactor host-access port spec parsing to remove duplicate logic by @Copilot in https://	High	5/27/2026
v0.25.50	<!-- Release notes generated using configuration in .github/release.yml at v0.25.50 --> ## What's Changed ### Other Changes * chore: recompile all workflow lock files by @lpcox in https://github.com/github/gh-aw-firewall/pull/3345 * refactor: split token-tracker.js into four focused modules by @Copilot in https://github.com/github/gh-aw-firewall/pull/3343 * Make `BuildConfigInputs` internal to `build-config` by @Copilot in https://github.com/github/gh-aw-firewall/pull/3358 * Refactor iptables/	High	5/21/2026
v0.25.46	<!-- Release notes generated using configuration in .github/release.yml at v0.25.46 --> ## What's Changed ### Other Changes * fix: skip node --version check under QEMU emulation in agent Dockerfile by @lpcox in https://github.com/github/gh-aw-firewall/pull/3136 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.25.45...v0.25.46 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args	High	5/14/2026
v0.25.42	<!-- Release notes generated using configuration in .github/release.yml at v0.25.42 --> ## What's Changed ### Documentation * [docs] docs: document Azure OpenAI OIDC (Entra-only) authentication by @github-actions[bot] in https://github.com/github/gh-aw-firewall/pull/2612 * [docs] docs: sync architecture docs with src/ refactoring by @github-actions[bot] in https://github.com/github/gh-aw-firewall/pull/2677 ### Other Changes * refactor: extract shared Docker test fixture constants to eliminate	High	5/9/2026
v0.25.37	<!-- Release notes generated using configuration in .github/release.yml at v0.25.37 --> ## What's Changed ### Other Changes * refactor: consolidate env-var forwarding in docker-manager.ts into typed arrays + loops by @Copilot in https://github.com/github/gh-aw-firewall/pull/2434 * refactor(pid-tracker): extract resolvePidFromTcpContent to deduplicate async/sync track logic by @Copilot in https://github.com/github/gh-aw-firewall/pull/2432 * refactor(cli-workflow): unexport internal-only interfa	High	5/4/2026
v0.25.29	<!-- Release notes generated using configuration in .github/release.yml at v0.25.29 --> ## What's Changed ### Other Changes * Harden api-proxy startup healthcheck to reduce early unhealthy flaps by @Copilot in https://github.com/github/gh-aw-firewall/pull/2155 * fix: correct firewall issue dispatcher tracking issue link format by @Copilot in https://github.com/github/gh-aw-firewall/pull/2161 * Ensure Copilot bootstrap can find Node.js inside AWF chroot by @Copilot in https://github.com/github/	High	4/28/2026
v0.25.28	<!-- Release notes generated using configuration in .github/release.yml at v0.25.28 --> ## What's Changed ### Other Changes * chore: upgrade and recompile all workflows to gh-aw v0.69.2 by @lpcox in https://github.com/github/gh-aw-firewall/pull/2144 * chore: bump Copilot CLI to v1.0.34 in smoke-copilot by @lpcox in https://github.com/github/gh-aw-firewall/pull/2147 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.25.27...v0.25.28 ## CLI Options ``` Usage: awf [option	High	4/22/2026
v0.25.26	<!-- Release notes generated using configuration in .github/release.yml at v0.25.26 --> ## What's Changed ### Documentation * [docs] docs: update --image-tag CLI reference for digest-aware format by @github-actions[bot] in https://github.com/github/gh-aw-firewall/pull/2095 ### Other Changes * Optimize `security-guard` Claude token usage via prompt cache alignment and smaller diff payloads by @Copilot in https://github.com/github/gh-aw-firewall/pull/2085 * Add digest-aware AWF runtime image pin	High	4/21/2026
v0.25.25	<!-- Release notes generated using configuration in .github/release.yml at v0.25.25 --> ## What's Changed ### Other Changes * Optimize Smoke Claude workflow token spend (Haiku model, tighter turn cap, narrower GitHub toolset) by @Copilot in https://github.com/github/gh-aw-firewall/pull/2065 * [awf] API proxy: correct OpenAI base URL injection for Codex `/v1/responses` routing by @Copilot in https://github.com/github/gh-aw-firewall/pull/2066 * [Deps] Safe patch/minor devDependency refresh (2026	High	4/18/2026
v0.25.24	<!-- Release notes generated using configuration in .github/release.yml at v0.25.24 --> ## What's Changed ### Other Changes * chore: upgrade all workflows to gh-aw v0.68.7 by @lpcox in https://github.com/github/gh-aw-firewall/pull/2050 * feat: switch smoke-copilot-byok from cli-proxy to byok-copilot feature by @lpcox in https://github.com/github/gh-aw-firewall/pull/2056 * feat: convert remaining cli-proxy workflows to byok-copilot by @lpcox in https://github.com/github/gh-aw-firewall/pull/2058	High	4/18/2026
v0.25.23	<!-- Release notes generated using configuration in .github/release.yml at v0.25.23 --> ## What's Changed ### Other Changes * fix: make smoke-claude safe outputs trigger-aware for workflow_dispatch by @lpcox in https://github.com/github/gh-aw-firewall/pull/2036 * fix: allow package.json/lock in dep security monitor PRs by @lpcox in https://github.com/github/gh-aw-firewall/pull/2041 * Fix BYOK smoke workflow COPILOT_MODEL fallback override in postprocessing by @Copilot in https://github.com/git	High	4/17/2026
v0.25.22	<!-- Release notes generated using configuration in .github/release.yml at v0.25.22 --> ## What's Changed ### Other Changes * feat: add AWF JSON/YAML config ingestion with schema validation and CLI precedence by @Copilot in https://github.com/github/gh-aw-firewall/pull/2018 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.25.21...v0.25.22 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Argu	High	4/16/2026
v0.25.21	<!-- Release notes generated using configuration in .github/release.yml at v0.25.21 --> ## What's Changed ### Other Changes * secret-digger-claude: switch to Haiku, lower max-turns to 4 by @Copilot in https://github.com/github/gh-aw-firewall/pull/1956 * optimize(secret-digger-claude): default threat detection to Haiku, drop version-reporting import by @Copilot in https://github.com/github/gh-aw-firewall/pull/1974 * feat: add upstream corporate proxy support for self-hosted runners by @lpcox in	High	4/16/2026
v0.25.20	<!-- Release notes generated using configuration in .github/release.yml at v0.25.20 --> ## What's Changed ### Other Changes * fix: increase claude-token-optimizer timeout from 10 to 15 minutes by @lpcox in https://github.com/github/gh-aw-firewall/pull/1937 * perf(security-guard): reduce Claude token cost ~32% via turn cap, relevance gate, and conciseness by @Copilot in https://github.com/github/gh-aw-firewall/pull/1940 * feat: collect diagnostic logs on container startup failure by @Copilot in	High	4/13/2026
v0.25.19	<!-- Release notes generated using configuration in .github/release.yml at v0.25.19 --> ## What's Changed ### Other Changes * fix: increase claude-token-usage-analyzer timeout to 45 minutes by @lpcox in https://github.com/github/gh-aw-firewall/pull/1842 * fix: rewrite squid_https_latency to use background containers by @Copilot in https://github.com/github/gh-aw-firewall/pull/1816 * fix: increase security-guard max-turns from 15 to 25 by @lpcox in https://github.com/github/gh-aw-firewall/pull/	Medium	4/12/2026
v0.25.18	<!-- Release notes generated using configuration in .github/release.yml at v0.25.18 --> ## What's Changed ### Other Changes * feat: enable cli-proxy in smoke-copilot workflow by @lpcox in https://github.com/github/gh-aw-firewall/pull/1820 * test: add regression tests for cli-proxy validated fixes from #1820 by @Copilot in https://github.com/github/gh-aw-firewall/pull/1826 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.25.17...v0.25.18 ## CLI Options ``` Usage: awf	High	4/9/2026
v0.25.17	<!-- Release notes generated using configuration in .github/release.yml at v0.25.17 --> ## What's Changed ### Other Changes * feat: forward OIDC env vars into agent container by @Copilot in https://github.com/github/gh-aw-firewall/pull/1796 * fix: normalize API target env vars to bare hostnames via URL parsing by @lpcox in https://github.com/github/gh-aw-firewall/pull/1799 * perf: tune healthcheck intervals for squid and api-proxy containers by @Copilot in https://github.com/github/gh-aw-firew	High	4/8/2026
v0.25.16	<!-- Release notes generated using configuration in .github/release.yml at v0.25.16 --> ## What's Changed ### Other Changes * fix: share mcpg network namespace to fix TLS hostname verification by @lpcox in https://github.com/github/gh-aw-firewall/pull/1778 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.25.15...v0.25.16 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args	Medium	4/8/2026
v0.25.14	<!-- Release notes generated using configuration in .github/release.yml at v0.25.14 --> ## What's Changed ### Documentation * [docs] docs: document --session-state-dir flag and AWF_SESSION_STATE_DIR env var by @github-actions[bot] in https://github.com/github/gh-aw-firewall/pull/1600 * [docs] docs: sync smoke-claude toolset and max-turns after token optimization by @github-actions[bot] in https://github.com/github/gh-aw-firewall/pull/1641 ### Other Changes * feat: add daily token optimization	Medium	4/7/2026
v0.25.13	<!-- Release notes generated using configuration in .github/release.yml at v0.25.13 --> ## What's Changed ### Other Changes * feat: add Daily Claude Token Usage Analyzer workflow by @lpcox in https://github.com/github/gh-aw-firewall/pull/1605 * fix: prevent Squid config injection via --allow-domains and --allow-urls by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1517 * perf: reduce smoke-copilot token usage with pre-steps and tool trimming by @lpcox in https://github.com/github/g	Medium	4/2/2026
v0.25.12	<!-- Release notes generated using configuration in .github/release.yml at v0.25.12 --> ## What's Changed ### Other Changes * fix: extract OpenAI/Copilot cached_tokens from prompt_tokens_details by @lpcox in https://github.com/github/gh-aw-firewall/pull/1603 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.25.11...v0.25.12 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args	Medium	4/2/2026
v0.25.11	<!-- Release notes generated using configuration in .github/release.yml at v0.25.11 --> ## What's Changed ### Other Changes * fix: rename and scope token analyzer to Copilot workflows by @lpcox in https://github.com/github/gh-aw-firewall/pull/1588 * fix: capture full session state — replace blanket ~/.copilot mount, add --session-state-dir by @lpcox in https://github.com/github/gh-aw-firewall/pull/1593 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.25.10...v0.25.11	Medium	4/2/2026
v0.25.10	<!-- Release notes generated using configuration in .github/release.yml at v0.25.10 --> ## What's Changed ### Other Changes * feat: add daily token usage analyzer workflow by @lpcox in https://github.com/github/gh-aw-firewall/pull/1557 * fix: recompile token-usage-analyzer lock file by @lpcox in https://github.com/github/gh-aw-firewall/pull/1586 * feat: add esbuild single-file bundle as lightweight distribution by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1581 **Full Changelo	Medium	4/2/2026
v0.25.9	<!-- Release notes generated using configuration in .github/release.yml at v0.25.9 --> ## What's Changed ### Other Changes * fix: copy AWF CA cert to chroot-accessible path for ssl-bump by @lpcox in https://github.com/github/gh-aw-firewall/pull/1555 * feat: auto-detect host DNS resolvers instead of hardcoding Google DNS by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1513 * [Test Coverage] Add 100% test coverage for logs-audit command by @github-actions[bot] in https://github.com/	Medium	4/1/2026
v0.25.8	<!-- Release notes generated using configuration in .github/release.yml at v0.25.8 --> ## What's Changed ### Other Changes * fix: decompress gzip responses for Anthropic token extraction by @lpcox in https://github.com/github/gh-aw-firewall/pull/1550 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.25.7...v0.25.8 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args	Medium	4/1/2026
v0.25.7	<!-- Release notes generated using configuration in .github/release.yml at v0.25.7 --> ## What's Changed ### Other Changes * feat: include api-proxy token logs in firewall audit artifact by @lpcox in https://github.com/github/gh-aw-firewall/pull/1549 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.25.6...v0.25.7 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args	Medium	4/1/2026
v0.25.6	<!-- Release notes generated using configuration in .github/release.yml at v0.25.6 --> ## What's Changed ### Other Changes * fix: api-proxy auth chain — trim keys, align placeholder format, add diagnostics by @lpcox in https://github.com/github/gh-aw-firewall/pull/1528 * feat: add smoke-services workflow for --allow-host-service-ports e2e testing by @lpcox in https://github.com/github/gh-aw-firewall/pull/1534 * feat: add token usage tracking to api-proxy sidecar by @lpcox in https://github.com	Medium	4/1/2026
v0.25.5	<!-- Release notes generated using configuration in .github/release.yml at v0.25.5 --> ## What's Changed ### Other Changes * fix: copy get-claude-key.sh to chroot-accessible path by @lpcox in https://github.com/github/gh-aw-firewall/pull/1508 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.25.4...v0.25.5 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args	Medium	3/31/2026
v0.25.4	<!-- Release notes generated using configuration in .github/release.yml at v0.25.4 --> ## What's Changed ### Other Changes * fix: always derive GH_HOST from GITHUB_SERVER_URL to prevent proxy leakage by @lpcox in https://github.com/github/gh-aw-firewall/pull/1493 * fix: debug logging for GITHUB_PATH merge + document setup-* tool availability in chroot by @Copilot in https://github.com/github/gh-aw-firewall/pull/1468 * feat: add volume mount for ~/.copilot/session-state to persist events.jsonl	Medium	3/30/2026
v0.25.3	<!-- Release notes generated using configuration in .github/release.yml at v0.25.3 --> ## What's Changed ### Other Changes * fix: auto-inject GH_HOST from GITHUB_SERVER_URL when --env-all is used by @Copilot in https://github.com/github/gh-aw-firewall/pull/1453 * feat: add AWF issue auditor workflow by @lpcox in https://github.com/github/gh-aw-firewall/pull/1459 * feat: add --env-file support for injecting env vars from a file by @Copilot in https://github.com/github/gh-aw-firewall/pull/1457 *	Medium	3/28/2026
v0.25.2	<!-- Release notes generated using configuration in .github/release.yml at v0.25.2 --> ## What's Changed ### New Feature: `--allow-host-service-ports` Adds a new `--allow-host-service-ports <ports>` CLI flag for accessing GitHub Actions `services:` containers (e.g., PostgreSQL, Redis, MySQL) from within the AWF sandbox. Why: GitHub Actions `services:` containers publish ports to the host via port mapping. These are typically on "dangerous" ports (5432, 6379, 3306) that AWF blocks by defa	Medium	3/26/2026
v0.25.1	<!-- Release notes generated using configuration in .github/release.yml at v0.25.1 --> ## What's Changed ### Documentation * docs: Fix proxy env var docs and add missing CLI flags by @github-actions[bot] in https://github.com/github/gh-aw-firewall/pull/1350 ### Other Changes * fix: write apiKeyHelper to ~/.claude/settings.json for Claude Code v2.1.81+ by @lpcox in https://github.com/github/gh-aw-firewall/pull/1414 * Pre-install commonly needed system packages in agent container image by @Copil	Medium	3/26/2026
v0.25.0	<!-- Release notes generated using configuration in .github/release.yml at v0.25.0 --> ## What's Changed ### Other Changes * chore(deps): update trivy-action to v0.35.0 by @lpcox in https://github.com/github/gh-aw-firewall/pull/1383 * chore: remove all trivy references by @Copilot in https://github.com/github/gh-aw-firewall/pull/1389 * feat: increase default agent memory limit to 6GB and enable swap by @Copilot in https://github.com/github/gh-aw-firewall/pull/1360 * Propagate $GITHUB_PATH into	Medium	3/23/2026
v0.24.5	<!-- Release notes generated using configuration in .github/release.yml at v0.24.5 --> ## What's Changed ### Other Changes * fix: update vulnerable dependencies (flatted, markdownlint-cli2) by @Copilot in https://github.com/github/gh-aw-firewall/pull/1374 * fix: eliminate 10s container shutdown delay by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1373 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.24.4...v0.24.5 ## CLI Options ``` Usage: awf [options]	Low	3/19/2026
v0.24.4	<!-- Release notes generated using configuration in .github/release.yml at v0.24.4 --> ## What's Changed ### Documentation * docs: fix iptables logging references after simplification by @github-actions[bot] in https://github.com/github/gh-aw-firewall/pull/1292 ### Other Changes * fix: skip safe dependency update PR when existing PR is open by @Copilot in https://github.com/github/gh-aw-firewall/pull/1335 * docs: update architecture docs with three-component overview by @Mossaka in https://git	Low	3/19/2026
v0.24.3	<!-- Release notes generated using configuration in .github/release.yml at v0.24.3 --> ## What's Changed ### Other Changes * fix: route GHEC Copilot proxy to copilot-api subdomain by @Copilot in https://github.com/github/gh-aw-firewall/pull/1331 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.24.2...v0.24.3 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args	Low	3/17/2026
v0.24.2	<!-- Release notes generated using configuration in .github/release.yml at v0.24.2 --> ## What's Changed ### Other Changes * feat(ci): add CI quality gates - CODEOWNERS, markdownlint, link checking by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1269 * fix(squid): run Squid container as non-root proxy user by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1271 * feat(ci): add weekly performance monitoring workflow by @Mossaka in https://github.com/github/gh-aw-firewall/	Low	3/15/2026
v0.24.1	<!-- Release notes generated using configuration in .github/release.yml at v0.24.1 --> ## What's Changed ### Other Changes * ci: skip CI when only release.yml changes by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1261 * docs: sync version references and add missing CLI flags by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1223 * docs: document flag validation constraints by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1230 * chore(deps): aggregated depe	Low	3/12/2026
v0.24.0	<!-- Release notes generated using configuration in .github/release.yml at v0.24.0 --> ## What's Changed ### Other Changes * test: add CI workflow for non-chroot integration tests by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1048 * test: add DNS restriction enforcement tests by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1054 * test: fix docker-warning tests and fragile timing dependencies by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1049 * fix(ci)	Low	3/12/2026
v0.23.1	<!-- Release notes generated using configuration in .github/release.yml at v0.23.1 --> ## What's Changed ### Other Changes * docs: add sandbox design rationale (Docker vs microVMs) by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1025 * fix: always set NO_PROXY to bypass Squid for localhost by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1032 * chore: remove smoke-gemini workflow by @Mossaka in https://github.com/github/gh-aw-firewall/pull/1033 * feat: group --help fla	Low	2/26/2026
v0.23.0	<!-- Release notes generated using configuration in .github/release.yml at v0.23.0 --> ## What's Changed ### Other Changes * feat: update agentic workflows to v0.47.0 and add smoke-gemini by @Copilot in https://github.com/github/gh-aw-firewall/pull/974 * docs: add releasing.md link to CLAUDE.md by @Mossaka in https://github.com/github/gh-aw-firewall/pull/981 * fix: add iptables bypass for container self-traffic by @Copilot in https://github.com/github/gh-aw-firewall/pull/977 * chore: remove _c	Low	2/24/2026
v0.20.2	<!-- Release notes generated using configuration in .github/release.yml at v0.20.2 --> ## What's Changed ### Other Changes * feat: simplify release to workflow_dispatch only by @Mossaka in https://github.com/github/gh-aw-firewall/pull/968 * fix: add writable tmpfs for /host/dev/shm (POSIX semaphores) by @Mossaka in https://github.com/github/gh-aw-firewall/pull/972 * Add macOS binary support (Darwin x64 and ARM64) by @Mossaka in https://github.com/github/gh-aw-firewall/pull/973 * feat: set NO_C	Low	2/19/2026
v0.20.1	<!-- Release notes generated using configuration in .github/release.yml at v0.20.1 --> ## What's Changed ### Other Changes * feat(api-proxy): centralize port configuration in types.ts by @Claude in https://github.com/github/gh-aw-firewall/pull/955 * docs: add api-proxy image publishing details to release guide by @Copilot in https://github.com/github/gh-aw-firewall/pull/954 * feat: add ARM64 binary support for awf CLI by @Mossaka in https://github.com/github/gh-aw-firewall/pull/965 **Full Ch	Low	2/19/2026
v0.20.0	<!-- Release notes generated using configuration in .github/release.yml at v0.20.0 --> ## What's Changed ### Other Changes * chore: reduce dependabot PR volume to ~5/week by @Mossaka in https://github.com/github/gh-aw-firewall/pull/937 * docs: convert API proxy docs to Starlight format by @Mossaka in https://github.com/github/gh-aw-firewall/pull/941 * feat: add github copilot api proxy support by @Copilot in https://github.com/github/gh-aw-firewall/pull/945 Full Changelog: https://github	Low	2/18/2026
v0.19.1	<!-- Release notes generated using configuration in .github/release.yml at v0.19.1 --> ## What's Changed ### Documentation * [docs] docs: add AWF_ONE_SHOT_TOKEN_DEBUG documentation by @github-actions[bot] in https://github.com/github/gh-aw-firewall/pull/867 ### Other Changes * perf: parallelize container image builds in release workflow by @Mossaka in https://github.com/github/gh-aw-firewall/pull/909 * fix: remove .claude.json file bind mount regression by @Mossaka in https://github.com/github	Low	2/17/2026
v0.19.0	<!-- Release notes generated using configuration in .github/release.yml at v0.19.0 --> ## What's Changed ### Documentation * [docs] Sync CLI flags and agent image presets with code by @github-actions[bot] in https://github.com/github/gh-aw-firewall/pull/861 ### Other Changes * feat: add AWF_ONE_SHOT_TOKEN_DEBUG env var for silent-by-default logging by @Claude in https://github.com/github/gh-aw-firewall/pull/864 * feat: add ARM64 multi-architecture container builds by @Mossaka in https://github	Low	2/16/2026
v0.18.0	<!-- Release notes generated using configuration in .github/release.yml at main --> ## What's Changed ### Documentation * [docs] docs: sync version requirements with package.json by @github-actions[bot] in https://github.com/github/gh-aw-firewall/pull/848 ### Other Changes * feat: proxy claude api calls to secure auth token by @Claude in https://github.com/github/gh-aw-firewall/pull/849 * feat: disable codex credential sharing, enable proxied calls by @Claude in https://github.com/github/gh-aw	Low	2/14/2026
v0.17.1	<!-- Release notes generated using configuration in .github/release.yml at v0.17.1 --> ## What's Changed ### Other Changes * feat: proxy claude api calls to secure auth token by @Claude in https://github.com/github/gh-aw-firewall/pull/849 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.17.0...v0.17.1 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args	Low	2/14/2026
v0.17.0	<!-- Release notes generated using configuration in .github/release.yml at v0.17.0 --> ## What's Changed ### Other Changes * perf: batch chroot integration tests to reduce container overhead by @Mossaka in https://github.com/github/gh-aw-firewall/pull/845 * feat(ci): add api-proxy image to release pipeline by @Mossaka in https://github.com/github/gh-aw-firewall/pull/846 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.16.5...v0.17.0 ## CLI Options ``` Usage: awf [opt	Low	2/14/2026
v0.16.5	<!-- Release notes generated using configuration in .github/release.yml at v0.16.5 --> ## What's Changed ### Other Changes * fix: add roles: all to smoke-codex workflow by @Mossaka in https://github.com/github/gh-aw-firewall/pull/841 * fix: fix API proxy sidecar bugs preventing Anthropic-only usage by @Mossaka in https://github.com/github/gh-aw-firewall/pull/843 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.16.4...v0.16.5 ## CLI Options ``` Usage: awf [options] [c	Low	2/13/2026
v0.16.4	<!-- Release notes generated using configuration in .github/release.yml at v0.16.4 --> ## What's Changed ### Other Changes * test: fix exit code validation in test runner fixture by @Claude in https://github.com/github/gh-aw-firewall/pull/792 * fix: unset sensitive tokens from entrypoint environ after agent starts by @Claude in https://github.com/github/gh-aw-firewall/pull/809 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.16.3...v0.16.4 ## CLI Options ``` Usage: a	Low	2/13/2026
v0.16.3	<!-- Release notes generated using configuration in .github/release.yml at v0.16.3 --> ## What's Changed ### Other Changes * fix: harden one-shot-token binary against ELF reconnaissance by @Mossaka in https://github.com/github/gh-aw-firewall/pull/776 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.16.2...v0.16.3 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args	Low	2/13/2026
v0.16.2	<!-- Release notes generated using configuration in .github/release.yml at v0.16.2 --> ## What's Changed ### Other Changes * feat: rust one-shot-token library by @Claude in https://github.com/github/gh-aw-firewall/pull/791 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.16.1...v0.16.2 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args	Low	2/13/2026
v0.16.1	<!-- Release notes generated using configuration in .github/release.yml at v0.16.1 --> ## What's Changed ### Other Changes * fix: use granular workspace mounting instead of entire HOME directory by @Claude in https://github.com/github/gh-aw-firewall/pull/699 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.16.0...v0.16.1 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args	Low	2/13/2026
v0.16.0	<!-- Release notes generated using configuration in .github/release.yml at v0.16.0 --> ## What's Changed ### Other Changes * fix: upgrade gpgv in squid container to address CVE-2025-68973 by @Mossaka in https://github.com/github/gh-aw-firewall/pull/757 * fix: upgrade packages in agent container to mitigate CVE-2023-44487 by @Mossaka in https://github.com/github/gh-aw-firewall/pull/760 * fix: use secure temp directory in volume-mounts test by @Mossaka in https://github.com/github/gh-aw-firewall	Low	2/13/2026
v0.15.0	<!-- Release notes generated using configuration in .github/release.yml at v0.15.0 --> ## What's Changed ### Other Changes * refactor: remove --enable-chroot flag, make chroot mode always-on by @Copilot in https://github.com/github/gh-aw-firewall/pull/714 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.14.3...v0.15.0 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: args	Low	2/12/2026
v0.14.3	<!-- Release notes generated using configuration in .github/release.yml at v0.14.3 --> ## What's Changed ### Other Changes * fix: eliminate nested bash layer in chroot command execution for Java/.NET by @Copilot in https://github.com/github/gh-aw-firewall/pull/715 Full Changelog: https://github.com/github/gh-aw-firewall/compare/v0.14.2...v0.14.3 ## CLI Options ``` Usage: awf [options] [command] [args...] Network firewall for agentic workflows with domain whitelisting Arguments: arg	Low	2/12/2026

Dependencies & License Audit

Loading dependencies...

Similar Packages

AutoRedact🛡️ Redact sensitive information from images securely in your browser with AutoRedact, featuring automatic detection and local processing for privacy.main@2026-06-06

anolisaANOLISA - Agentic Nexus Operating Layer & Interface System Architectureckpt/v0.3.3

tweakccCustomize Claude Code's system prompts, create custom toolsets, input pattern highlighters, themes/thinking verbs/spinners, customize input box & user message styling, support AGENTS.md, unlock privatv4.0.14

argentAn agentic toolkit to control, debug, and profile the iOS Simulator. Made by Software Mansion.v0.9.0

slot-jsx-pragma🎰 Enable declarative slottable components with a custom JSX pragma for seamless React integration and enhanced performance.main@2026-06-06

More from github

awesome-copilotCommunity-contributed instructions, agents, skills, and configurations to help you make the most of GitHub Copilot.

More in Uncategorized

llama.cppLLM inference in C/C++

anthropic-sdk-python

modal-clientSDK libraries for Modal

anolisaANOLISA - Agentic Nexus Operating Layer & Interface System Architecture