Skip to content

[docs] docs: add AWF_ONE_SHOT_TOKEN_DEBUG documentation #867

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Mossaka merged 1 commit into from
Feb 17, 2026
Merged

[docs] docs: add AWF_ONE_SHOT_TOKEN_DEBUG documentation #867

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions docs/environment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,33 @@ The following environment variables are set internally by the firewall and used

**Note:** These are set automatically based on CLI options and should not be overridden manually.

## Debugging Environment Variables

The following environment variables control debugging behavior:

| Variable | Description | Default | Example |
|----------|-------------|---------|---------|
| `AWF_ONE_SHOT_TOKEN_DEBUG` | Enable debug logging for one-shot-token library | `off` | `1` or `true` |

### One-Shot Token Debug Logging

The one-shot-token library protects sensitive tokens (GITHUB_TOKEN, OPENAI_API_KEY, etc.) from environment variable inspection. By default, it operates silently. To troubleshoot token caching issues, enable debug logging:

```bash
# Enable debug logging
export AWF_ONE_SHOT_TOKEN_DEBUG=1

# Run AWF with sudo -E to preserve the variable
sudo -E awf --allow-domains github.com 'your-command'
```

When enabled, the library logs:
- Token initialization messages
- Token access and caching events
- Environment cleanup confirmations

**Note:** Debug output goes to stderr and does not interfere with command stdout. See `containers/agent/one-shot-token/README.md` for complete documentation.

**Historical note:** Prior to v0.13.5, `HTTP_PROXY` and `HTTPS_PROXY` were set to point to Squid. These have been removed in favor of transparent iptables-based redirection, which is more reliable and avoids conflicts with tools that don't honor proxy environment variables.

## Troubleshooting
Expand Down
26 changes: 26 additions & 0 deletions docs/troubleshooting.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,32 @@
echo $GITHUB_TOKEN # Should print the token
```

### Token Caching Issues

**Problem:** Sensitive tokens (GITHUB_TOKEN, OPENAI_API_KEY, etc.) not being properly cached or cleared

**Solution:**
1. Enable debug logging for the one-shot-token library:
```bash
export AWF_ONE_SHOT_TOKEN_DEBUG=1
sudo -E awf --allow-domains ... 'your-command'
```
2. Check the debug output for:
- `Initialized with N default token(s)` - Library loaded successfully
- `Token <NAME> accessed and cached` - Token was read and cached
- `INFO: Token <NAME> cleared from process environment` - Token removed from /proc/environ
- `WARNING: Token <NAME> still exposed` - Token cleanup failed (security concern)
3. If tokens are still exposed, check:
- The token name is in the default protected list (see `containers/agent/one-shot-token/README.md`)
- Or set `AWF_ONE_SHOT_TOKENS` to explicitly protect custom tokens:
```bash
export AWF_ONE_SHOT_TOKENS="MY_CUSTOM_TOKEN,ANOTHER_TOKEN"
export AWF_ONE_SHOT_TOKEN_DEBUG=1
sudo -E awf --allow-domains ... 'your-command'
```

**Note:** Debug output goes to stderr. Use `2>&1 | tee debug.log` to capture it.

## MCP Server Issues

### MCP Server Can't Connect
Expand Down