Skip to content

feat: proxy claude api calls to secure auth token#849

Merged
lpcox merged 29 commits intomainfrom
claude/summarize-firewall-proxying
Feb 14, 2026
Merged

feat: proxy claude api calls to secure auth token#849
lpcox merged 29 commits intomainfrom
claude/summarize-firewall-proxying

Conversation

@Claude
Copy link
Contributor

@Claude Claude AI commented Feb 14, 2026

  • Update OPENAI_BASE_URL in docker-manager.ts to include /v1 path (http://172.30.0.30:10000/v1)
  • Update documentation in types.ts to reflect the /v1 path
  • Build and verify no compilation errors

Claude AI and others added 2 commits February 14, 2026 13:36
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
@Claude Claude AI changed the title [WIP] Document firewall handling of proxying Claude agent calls docs: add comprehensive authentication architecture guide Feb 14, 2026
@Claude Claude AI requested a review from lpcox February 14, 2026 13:38
@lpcox
Copy link
Collaborator

lpcox commented Feb 14, 2026

@claude[agent] the codex agent also supports api proxying through the OPENAI_BASE_URL environment variable. Using the same architecture used to secure claude, implement api-proxying for codex via the OPENAI_BASE_URL

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
@Claude
Copy link
Contributor Author

Claude AI commented Feb 14, 2026

@claude[agent] the codex agent also supports api proxying through the OPENAI_BASE_URL environment variable. Using the same architecture used to secure claude, implement api-proxying for codex via the...

Done! The documentation now clearly shows that Codex (OpenAI) uses the identical credential isolation architecture as Claude.

Key updates in commit 0f73e98:

Architecture confirmation:

  • OpenAI API key held exclusively in api-proxy container (port 10000)
  • Agent receives only OPENAI_BASE_URL=http://172.30.0.30:10000
  • API proxy injects Authorization: Bearer $OPENAI_API_KEY
  • Routes through Squid for domain filtering (same as Claude)

Documentation enhancements:

  • Added callout box emphasizing both providers use identical architecture
  • Side-by-side code examples (Anthropic SDK vs OpenAI SDK)
  • Parallel traffic flow diagrams for both providers
  • Separate configuration examples for Claude, Codex, and both together

The implementation already existed—the doc now gives equal treatment to both providers.

@Claude Claude AI changed the title docs: add comprehensive authentication architecture guide docs: add comprehensive authentication architecture guide for LLM APIs Feb 14, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 14, 2026

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions
Copy link
Contributor

github-actions bot commented Feb 14, 2026

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

Smoke test complete - GitHub MCP, file writing, and bash tools validated. Playwright blocked by network restrictions (expected in firewall environment). Results posted to PR #849.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 14, 2026

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions
Copy link
Contributor

🧪 Bun Build Test Results

Project Install Tests Status
elysia 1/1 ✅ PASS
hono 1/1 ✅ PASS

Overall: ✅ PASS

All Bun projects successfully installed dependencies and passed their test suites.

AI generated by Build Test Bun

@github-actions
Copy link
Contributor

Smoke Test Results (Claude Engine)

Last 2 Merged PRs:

  • feat: kong proxy for codex
  • feat(ci): add api-proxy image to release pipeline

Test Results:

  • ✅ GitHub MCP (list PRs)
  • ❌ Playwright (browser download blocked by firewall)
  • ✅ File Writing (/tmp/gh-aw/agent/smoke-test-claude-22018519698.txt)
  • ✅ Bash Tool (verified file contents)

Status: PARTIAL PASS (3/4 tests passed, Playwright blocked by network restrictions)

AI generated by Smoke Claude

@github-actions
Copy link
Contributor

Deno Build Test Results

Project Tests Status
oak 1/1 ✅ PASS
std 1/1 ✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

@github-actions
Copy link
Contributor

Node.js Build Test Results

Project Install Tests Status
clsx PASS ✅ PASS
execa PASS ✅ PASS
p-limit PASS ✅ PASS

Overall: ✅ PASS

All Node.js projects installed and tested successfully.

AI generated by Build Test Node.js

@github-actions
Copy link
Contributor

C++ Build Test Results

Project CMake Build Status
fmt PASS
json PASS

Overall: PASS

All C++ projects built successfully.

AI generated by Build Test C++

@github-actions
Copy link
Contributor

Go Build Test Results

Project Download Tests Status
color 1/1 PASS
env 1/1 PASS
uuid 1/1 PASS

Overall: PASS

All Go projects built and tested successfully.

AI generated by Build Test Go

@github-actions
Copy link
Contributor

Chroot Mode Version Test Results

Runtime Host Version Chroot Version Match?
Python 3.12.12 3.12.3 ❌ NO
Node.js v24.13.0 v20.20.0 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

Overall Result: ❌ Tests FAILED - Not all runtimes matched between host and chroot environments.

The chroot mode successfully accessed Go from the host, but Python and Node.js versions differ between the host and chroot environments.

AI generated by Smoke Chroot

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
@Claude
Copy link
Contributor Author

Claude AI commented Feb 14, 2026

@claude[agent] please do not set OPENA_BASE_URL for the codex agent for now. we will renable it at a future time

Fixed in ee0424b. OPENAI_BASE_URL is now disabled for Codex agents. The change is temporary and can be re-enabled in the future by uncommenting lines 1012-1016 in src/docker-manager.ts.

@Claude Claude AI changed the title feat: proxy claude api calls to secure auth token Addressing PR comments Feb 14, 2026
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
@github-actions
Copy link
Contributor

github-actions bot commented Feb 14, 2026

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions
Copy link
Contributor

github-actions bot commented Feb 14, 2026

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions
Copy link
Contributor

github-actions bot commented Feb 14, 2026

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 14, 2026

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions
Copy link
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 82.82% 82.83% 📈 +0.01%
Statements 82.81% 82.74% 📉 -0.07%
Functions 82.74% 82.74% ➡️ +0.00%
Branches 74.87% 74.88% ➡️ +0.01%
📁 Per-file Coverage Changes (1 files)
File Lines (Before → After) Statements (Before → After)
src/docker-manager.ts 84.7% → 84.6% (-0.09%) 84.1% → 83.8% (-0.36%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@lpcox lpcox changed the title Addressing PR comments feat: proxy claude api calls to secure auth token Feb 14, 2026
@github-actions
Copy link
Contributor

C++ Build Test Results

Project CMake Build Status
fmt PASS
json PASS

Overall: PASS

All C++ projects built successfully.

AI generated by Build Test C++

@github-actions
Copy link
Contributor

Go Build Test Results

Project Download Tests Status
color 1/1 PASS
env 1/1 PASS
uuid 1/1 PASS

Overall: PASS

All Go projects tested successfully.

AI generated by Build Test Go

@github-actions
Copy link
Contributor

Bun Build Test Results

Project Install Tests Status
elysia 1/1 PASS
hono 1/1 PASS

Overall: PASS

All Bun projects built and tested successfully.

AI generated by Build Test Bun

@github-actions
Copy link
Contributor

Build Test: Node.js - Results

Project Install Tests Status
clsx PASS PASS
execa PASS PASS
p-limit PASS PASS

Overall: PASS

All Node.js projects built and tested successfully.

AI generated by Build Test Node.js

@github-actions
Copy link
Contributor

Rust Build Test Results

Project Build Tests Status
fd 1/1 PASS
zoxide 1/1 PASS

Overall: PASS

All Rust projects built successfully and passed their test suites.

AI generated by Build Test Rust

@github-actions
Copy link
Contributor

Deno Build Test Results

Project Tests Status
oak 1/1 ✅ PASS
std 1/1 ✅ PASS

Overall: ✅ PASS

All Deno tests completed successfully.

AI generated by Build Test Deno

@github-actions
Copy link
Contributor

.NET Build Test Results ✅

All .NET projects successfully restored, built, and ran.

Project Restore Build Run Status
hello-world PASS
json-parse PASS

Overall: PASS

Details

hello-world:

  • Restored in 89 ms
  • Build succeeded with 0 warnings/errors
  • Output: Hello, World!

json-parse:

  • Restored in 849 ms (NuGet package downloaded)
  • Build succeeded with 0 warnings/errors
  • Output: Successfully parsed JSON and displayed structured data

AI generated by Build Test .NET

@github-actions
Copy link
Contributor

Smoke Test Results

Last 2 Merged PRs:

Test Results:

  • ✅ GitHub MCP (reviewed PRs)
  • ❌ Playwright (firewall blocked azureedge.net domains)
  • ✅ File Write (smoke-test-copilot-22023872982.txt)
  • ✅ Bash Commands (file verified)

Status: FAIL (Playwright blocked)

cc: @lpcox @Claude

AI generated by Smoke Copilot

@github-actions
Copy link
Contributor

✅ Java Build Test Results

All Java projects compiled and tested successfully through the AWF firewall.

Project Compile Tests Status
gson 1/1 PASS
caffeine 1/1 PASS

Overall: PASS

Both projects successfully downloaded dependencies through the Squid proxy (172.30.0.10:3128) and passed all tests.

AI generated by Build Test Java

@github-actions
Copy link
Contributor

Smoke Test Results for Claude Engine

Last 2 Merged PRs:

Test Results:

  • ✅ GitHub MCP: Retrieved PR data
  • ✅ Playwright: GitHub page title verified
  • ✅ File Writing: Created test file successfully
  • ✅ Bash Tool: File verified with cat

Overall Status: PASS

AI generated by Smoke Claude

@github-actions
Copy link
Contributor

Chroot Version Comparison Results

The chroot mode test compared runtime versions between the host and chroot environment:

Runtime Host Version Chroot Version Match?
Python 3.12.12 3.12.3 ❌ NO
Node.js v24.13.0 v20.20.0 ❌ NO
Go go1.22.12 go1.22.12 ✅ YES

Overall Result: ❌ Tests did not pass

The version mismatches indicate that the chroot environment is accessing container binaries rather than the host binaries as expected. This suggests that the chroot mode transparent host binary access is not working correctly for Python and Node.js.

AI generated by Smoke Chroot

@github-actions
Copy link
Contributor

PR titles:
fix: use 0o666 mode for ~/.claude.json to fix permissions
fix: set CLAUDE_CODE_API_KEY_HELPER env var for credential isolation
GitHub MCP merged PRs review: ✅
safeinputs-gh PR list: ✅
Playwright title check: ❌ (tool unavailable)
Tavily search: ❌ (tool unavailable)
File write+cat / Discussion comment / Build: ✅
Overall status: FAIL

AI generated by Smoke Codex

@lpcox lpcox merged commit 3fa55d3 into main Feb 14, 2026
90 of 94 checks passed
@lpcox lpcox deleted the claude/summarize-firewall-proxying branch February 14, 2026 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants