docs: add API Proxy section to CLI reference#1607
Conversation
There was a problem hiding this comment.
Pull request overview
Adds missing CLI reference documentation for the API proxy feature so users can discover and correctly configure the sidecar and its related flags.
Changes:
- Added all API proxy-related flags to the CLI Options Summary table.
- Added detailed documentation for API proxy flags (targets, base paths, rate limiting) with examples and security notes.
- Added a “See Also” link to the API Proxy Sidecar reference page.
Comments suppressed due to low confidence (4)
docs-site/src/content/docs/reference/cli-reference.md:435
- The “Requires:
--enable-api-proxy” line implies the CLI will error if this flag is used without--enable-api-proxy, but there’s no validation enforcing that (unlike the rate-limit flags). Consider rephrasing to something like “Only takes effect with--enable-api-proxy” to match current behavior.
- **Default:** `api.openai.com`
- **Requires:** `--enable-api-proxy`
docs-site/src/content/docs/reference/cli-reference.md:449
- The “Requires:
--enable-api-proxy” line implies the CLI will error if this flag is used without--enable-api-proxy, but there’s no validation enforcing that. Consider rephrasing to “Only takes effect with--enable-api-proxy” (rate-limit flags are the ones that actually error without it).
- **Default:** none
- **Requires:** `--enable-api-proxy`
docs-site/src/content/docs/reference/cli-reference.md:465
- The “Requires:
--enable-api-proxy” line implies the CLI will error if this flag is used without--enable-api-proxy, but there’s no validation enforcing that (unlike the rate-limit flags). Consider rephrasing to something like “Only takes effect with--enable-api-proxy” to match current behavior.
- **Default:** `api.anthropic.com`
- **Requires:** `--enable-api-proxy`
docs-site/src/content/docs/reference/cli-reference.md:479
- The “Requires:
--enable-api-proxy” line implies the CLI will error if this flag is used without--enable-api-proxy, but there’s no validation enforcing that. Consider rephrasing to “Only takes effect with--enable-api-proxy” to match current behavior.
- **Default:** none
- **Requires:** `--enable-api-proxy`
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| | `--rate-limit-rpm <n>` | number | `600` | Max requests per minute per provider | | ||
| | `--rate-limit-rph <n>` | number | `10000` | Max requests per hour per provider | | ||
| | `--rate-limit-bytes-pm <n>` | number | `52428800` (~50 MB) | Max request bytes per minute per provider | |
There was a problem hiding this comment.
The Options Summary table lists --rate-limit-* defaults as always-on numeric values, but buildRateLimitConfig only applies these defaults when rate limiting is enabled (i.e., when at least one --rate-limit-* flag is provided). Consider updating the defaults column to reflect this (e.g., “600 (when enabled)”) to avoid implying rate limiting is enabled by default.
| | `--rate-limit-rpm <n>` | number | `600` | Max requests per minute per provider | | |
| | `--rate-limit-rph <n>` | number | `10000` | Max requests per hour per provider | | |
| | `--rate-limit-bytes-pm <n>` | number | `52428800` (~50 MB) | Max request bytes per minute per provider | | |
| | `--rate-limit-rpm <n>` | number | `600` (when enabled) | Max requests per minute per provider | | |
| | `--rate-limit-rph <n>` | number | `10000` (when enabled) | Max requests per hour per provider | | |
| | `--rate-limit-bytes-pm <n>` | number | `52428800` (~50 MB, when enabled) | Max request bytes per minute per provider | |
| **Required environment variables** (at least one): | ||
|
|
||
| | Variable | Provider | | ||
| |----------|----------| | ||
| | `OPENAI_API_KEY` | OpenAI / Codex | | ||
| | `ANTHROPIC_API_KEY` | Anthropic / Claude | | ||
| | `COPILOT_GITHUB_TOKEN` | GitHub Copilot | | ||
|
|
There was a problem hiding this comment.
This section labels the API key environment variables as “Required”, but the CLI does not require them to be set when --enable-api-proxy is used—validateApiProxyConfig only emits warnings when no keys are present. Consider rewording to indicate they’re required to make proxied requests (or “recommended”), rather than required to run the command.
| Target hostname for GitHub Copilot API requests. Useful for GitHub Enterprise Server (GHES) deployments where the Copilot API endpoint differs from the public default. Can also be set via the `COPILOT_API_TARGET` environment variable. | ||
|
|
||
| - **Default:** `api.githubcopilot.com` | ||
| - **Requires:** `--enable-api-proxy` |
There was a problem hiding this comment.
The “Requires: --enable-api-proxy” line implies the CLI will error if this flag is used without --enable-api-proxy, but there’s no validation enforcing that (unlike the rate-limit flags). Consider rephrasing to something like “Only takes effect with --enable-api-proxy” to match current behavior.
This issue also appears in the following locations of the same file:
- line 433
- line 447
- line 463
- line 477
| - **Requires:** `--enable-api-proxy` | |
| - **Only takes effect with:** `--enable-api-proxy` |
| ``` | ||
|
|
||
| :::caution | ||
| When using a custom `--openai-api-target` or `--anthropic-api-target`, you must add the target domain to `--allow-domains` so the firewall permits outbound traffic. AWF emits a warning if a custom target is set but not in the allowlist. |
There was a problem hiding this comment.
This caution says custom --*-api-target domains must be manually added to --allow-domains and that AWF will warn if they’re missing. However, the CLI currently auto-merges API target values (from flags or env) into the allowlist via resolveApiTargetsToAllowedDomains, so users generally don’t need to add them explicitly and won’t see that warning. Consider updating this note to reflect the auto-allowlisting behavior (and any remaining cases where a warning can still occur).
| When using a custom `--openai-api-target` or `--anthropic-api-target`, you must add the target domain to `--allow-domains` so the firewall permits outbound traffic. AWF emits a warning if a custom target is set but not in the allowlist. | |
| When you use a custom `--openai-api-target` or `--anthropic-api-target`, AWF normally adds that target domain to the effective allowlist automatically (including when the target is provided via environment variables), so you usually do not need to add it manually to `--allow-domains`. If AWF cannot resolve or apply the custom target as expected, you may still need to verify that the target domain is allowed, and a warning can still appear in those cases. |
Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/055ecfbc-1cb0-45bb-b1bd-53018b6a4256 Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Mossaka
force-pushed
the
copilot/add-api-proxy-section-to-cli-reference-again
branch
from
d0f9f71 to
c6e1fba
Compare
The CLI reference was missing all 10 API proxy flags — a major feature with zero documentation.
Changes
--enable-api-proxy,--copilot-api-target,--openai-api-target,--openai-api-base-path,--anthropic-api-target,--anthropic-api-base-path,--rate-limit-rpm,--rate-limit-rph,--rate-limit-bytes-pm,--no-rate-limit--enable-api-proxyrequirements, env var alternatives, and usage examples. The--enable-api-proxyentry includes the environment variable table (API keys), sidecar port mapping, and security admonitions.All defaults and descriptions were verified against
src/cli.tsoption definitions andsrc/types.tstype docs.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
telemetry.astro.build/home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/docs-site/node_modules/.bin/astro build(dns block)If you need me to access, download, or install something from one of these locations, you can either: