Skip to content

docs: document implicit CLI behaviors (localhost keyword, enterprise auto-detection)#1612

Merged
Mossaka merged 3 commits intomainfrom
copilot/docs-improve-cli-behavior-documentation
Apr 2, 2026
Merged

docs: document implicit CLI behaviors (localhost keyword, enterprise auto-detection)#1612
Mossaka merged 3 commits intomainfrom
copilot/docs-improve-cli-behavior-documentation

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 2, 2026
edited
Loading

The CLI reference didn't document several implicit behaviors: the localhost keyword shortcut, enterprise domain auto-detection (GHEC/GHES), and had minimal coverage of protocol-specific filtering and wildcard patterns.

CLI reference (reference/cli-reference.md)

  • localhost keyword: Documents that --allow-domains localhost replaces with host.docker.internal, auto-enables --enable-host-access, and opens common dev ports (3000, 3001, 4000, 4200, 5000, 5173, 8000, 8080, 8081, 8888, 9000, 9090)
  • Enterprise auto-detection: New "Implicit Behaviors" section documenting:
    • GHEC: GITHUB_SERVER_URL with *.ghe.com auto-adds tenant, api.*, copilot-api.*, copilot-telemetry-service.*
    • GHES: ENGINE_API_TARGET auto-adds base domain, API subdomain, and Copilot cloud domains
  • Protocol-specific filtering: Added summary table showing domain.com (both), https://domain.com (HTTPS only), http://domain.com (HTTP only)
  • Wildcard patterns: Added pattern matching rules table with match/no-match examples

Domain filtering guide (guides/domain-filtering.md)

  • Added protocol-specific filtering section with examples and table
  • Fixed incorrect normalization docs — previously stated "Protocols stripped: https://github.com = github.com" which is wrong; protocol prefixes are meaningful for protocol-specific filtering

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • telemetry.astro.build
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/docs-site/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 2, 2026 that may be closed by this pull request
docs: document implicit CLI behaviors (localhost keyword, enterprise auto-detection) #1566
Closed
Copilot AI changed the title [WIP] Document implicit CLI behaviors for localhost and enterprise domains docs: document implicit CLI behaviors (localhost keyword, enterprise auto-detection) Apr 2, 2026
Copilot AI requested a review from Mossaka April 2, 2026 18:32
@Mossaka Mossaka requested a review from Copilot April 2, 2026 18:58
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the AWF documentation to explicitly describe previously implicit CLI behaviors around domain allowlisting and filtering, helping users predict how awf expands and interprets domain inputs.

Changes:

  • Expanded --allow-domains documentation with protocol-specific filtering, wildcard matching rules, and the localhost keyword behavior.
  • Added an “Implicit Behaviors” section describing enterprise (GHEC/GHES) domain auto-detection and auto-allowlisting.
  • Corrected domain normalization docs to reflect that protocol prefixes are meaningful (not stripped).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
docs-site/src/content/docs/reference/cli-reference.md Documents --allow-domains keywords/patterns and adds enterprise auto-detection (“Implicit Behaviors”).
docs-site/src/content/docs/guides/domain-filtering.md Adds protocol-specific filtering guidance and fixes normalization docs regarding protocol prefixes.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

docs-site/src/content/docs/reference/cli-reference.md
Comment on lines +53 to 56
Comma-separated list of allowed domains. Domains automatically match all subdomains. Supports wildcard patterns, protocol-specific filtering, and special keywords.

**If no domains are specified, all network access is blocked.** This is useful for running commands that should have no network access.

Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The statement that “If no domains are specified, all network access is blocked” is not always true once implicit allowlist expansion runs. In enterprise environments, domains may be auto-added from GITHUB_SERVER_URL/GITHUB_API_URL (GHEC) or ENGINE_API_TARGET (GHES) even when the user doesn’t pass --allow-domains. Consider clarifying this sentence (or adding a note) to describe that implicit behaviors can add domains to an otherwise empty allowlist.

See below for a potential fix:

**If no domains are specified, network access is blocked by default.** This is useful for running commands that should have no network access.

**Note:** In some enterprise environments, domains may still be added implicitly to the allowlist from configuration such as `GITHUB_SERVER_URL`, `GITHUB_API_URL`, or `ENGINE_API_TARGET`, even when `--allow-domains` is not provided.

```bash
# Allow specific domains
--allow-domains github.com,npmjs.org
--allow-domains '*.github.com,api-*.example.com'

# No network access by default when omitted

Copilot uses AI. Check for mistakes.
docs-site/src/content/docs/reference/cli-reference.md
Comment on lines +137 to +141
When `localhost` is detected, awf automatically:

1. **Replaces `localhost` with `host.docker.internal`** — Maps to Docker's host gateway so containers can reach host services
2. **Enables `--enable-host-access`** — Activates host network access (equivalent to passing `--enable-host-access`)
3. **Allows common development ports** — Opens ports 3000, 3001, 4000, 4200, 5000, 5173, 8000, 8080, 8081, 8888, 9000, 9090
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CLI only replaces the first occurrence of localhost/http://localhost/https://localhost in the allowlist (additional occurrences are left unchanged). Consider documenting this so users don’t expect multiple localhost entries (e.g., mixed protocol) to all be rewritten automatically.

Copilot uses AI. Check for mistakes.
@Mossaka Mossaka force-pushed the copilot/docs-improve-cli-behavior-documentation branch from cd666e7 to 594647b Compare April 2, 2026 21:15
@Mossaka Mossaka marked this pull request as ready for review April 2, 2026 21:15
@Mossaka Mossaka merged commit 69c2d3d into main Apr 2, 2026
@Mossaka Mossaka deleted the copilot/docs-improve-cli-behavior-documentation branch April 2, 2026 21:16
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 2, 2026

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit 43532ac

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Mossaka Mossaka Awaiting requested review from Mossaka Mossaka is a code owner

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

docs: document implicit CLI behaviors (localhost keyword, enterprise auto-detection)

3 participants

@Mossaka