From de573b30e3f4006b1ce76bdff632fe140f829c97 Mon Sep 17 00:00:00 2001 From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com> Date: Fri, 13 Feb 2026 10:26:38 +0000 Subject: [PATCH 1/2] Initial plan From 47c50f2121f0f312ee288f77e68d8b6519f11a26 Mon Sep 17 00:00:00 2001 From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com> Date: Fri, 13 Feb 2026 10:32:58 +0000 Subject: [PATCH 2/2] fix(api-proxy): remove anthropic api key from api-proxy service Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- src/docker-manager.ts | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/src/docker-manager.ts b/src/docker-manager.ts index 0216b48dd..0f8d8bffa 100644 --- a/src/docker-manager.ts +++ b/src/docker-manager.ts @@ -856,8 +856,9 @@ export function generateDockerCompose( } // Pass API proxy flag to agent for iptables configuration - // Only set when api-proxy will actually be deployed (i.e., at least one API key is provided) - if (config.enableApiProxy && networkConfig.proxyIp && (config.openaiApiKey || config.anthropicApiKey)) { + // Only set when api-proxy will actually be deployed (i.e., OpenAI API key is provided) + // Note: Anthropic (Claude) uses direct API key authentication, not the api-proxy + if (config.enableApiProxy && networkConfig.proxyIp && config.openaiApiKey) { environment.AWF_ENABLE_API_PROXY = '1'; } @@ -915,9 +916,10 @@ export function generateDockerCompose( 'agent': agentService, }; - // Add Nginx API proxy sidecar if enabled and at least one API key is provided - // The api-proxy service handles both OpenAI and Anthropic API requests - if (config.enableApiProxy && networkConfig.proxyIp && (config.openaiApiKey || config.anthropicApiKey)) { + // Add Nginx API proxy sidecar if enabled and OpenAI API key is provided + // Note: The api-proxy service is only used for OpenAI requests. + // Anthropic (Claude) uses direct API key authentication via environment variables. + if (config.enableApiProxy && networkConfig.proxyIp && config.openaiApiKey) { const proxyEnv: Record = { // Route through Squid to respect domain whitelisting HTTP_PROXY: `http://${networkConfig.squidIp}:${SQUID_PORT}`, @@ -925,12 +927,10 @@ export function generateDockerCompose( }; // Pass API keys securely to sidecar (not visible to agent) + // Note: Only OpenAI uses the api-proxy. Anthropic keys are passed directly to agent. if (config.openaiApiKey) { proxyEnv.OPENAI_API_KEY = config.openaiApiKey; } - if (config.anthropicApiKey) { - proxyEnv.ANTHROPIC_API_KEY = config.anthropicApiKey; - } const proxyService: any = { container_name: 'awf-api-proxy', @@ -991,14 +991,11 @@ export function generateDockerCompose( // Set environment variables in agent to use the API proxy // Use IP address instead of hostname to avoid DNS resolution issues + // Note: Only OpenAI uses the api-proxy. Anthropic (Claude) uses the API key directly. if (config.openaiApiKey) { environment.OPENAI_BASE_URL = `http://${networkConfig.proxyIp}:10000`; logger.debug(`OpenAI API will be proxied through sidecar at http://${networkConfig.proxyIp}:10000`); } - if (config.anthropicApiKey) { - environment.ANTHROPIC_BASE_URL = `http://${networkConfig.proxyIp}:10001`; - logger.debug(`Anthropic API will be proxied through sidecar at http://${networkConfig.proxyIp}:10001`); - } logger.info('API proxy sidecar enabled - API keys will be held securely in sidecar container'); logger.info('API proxy will route through Squid to respect domain whitelisting');