You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AWF has evolved significantly: network-isolation mode, API proxy credential injection, topology-attach for MCP/DIFC peers, and container runtime options (sbx, gVisor) now provide a hardened, sudo-free security posture. But this posture is hidden behind a collection of flags that are all individually opt-in and default to off:
Flag
Default
Should be standard?
--network-isolation
false
✅ Yes — Docker network topology, no iptables, no sudo
--enable-api-proxy
false
✅ Yes — agent never holds API credentials
--enable-host-access
false
❌ No — incompatible with network isolation
--enable-dind
false
❌ No — firewall bypass risk
--topology-attach
[]
✅ Yes — required for MCP gateway / DIFC proxy
0 out of 21 smoke tests use --network-isolation. 19 out of 21 use sudo. The "modern" mode has near-zero CI coverage, while the legacy iptables mode is the de facto standard. This is backwards — the hardened mode should be the default, and the legacy mode should require explicit opt-in.
Proposal: --security-mode strict | compat
Introduce a single --security-mode flag. strict is the default. Operators must explicitly opt into --security-mode compat to use the legacy iptables-based configuration.
--security-mode strict (DEFAULT)
Bundles:
Network isolation (internal: true Docker network, Squid dual-homed as sole egress)
API proxy (credential injection — agent never holds API keys)
No sudo (no host iptables, no NET_ADMIN)
No host access (rejects --enable-host-access)
No --enable-dind (rejects Docker socket passthrough)
Topology-attach available for MCP gateway and DIFC proxy peers
For microvm runtimes (sbx), strict mode uses DOCKER_SANDBOXES_PROXY → Squid instead of Docker network topology (sbx already enforces this without iptables).
--security-mode compat (legacy, explicit opt-in)
Preserves:
Host iptables egress enforcement (requires sudo)
Agent holds API keys directly (no proxy)
--enable-host-access available
--enable-dind available (with existing warnings)
Strict mode takes precedence
When running in strict mode (the default), incompatible options are overridden and discarded with a clear warning. Strict mode always wins — it cannot be weakened by stale config files or copy-pasted flags from old documentation.
Incompatible options that are overridden in strict mode:
--dns-over-https (requires direct external connectivity) → ignored
Explicit --no-network-isolation or network.isolation: false → ignored
Explicit --no-api-proxy or apiProxy.enabled: false → ignored
Warning behavior: AWF logs a warning for each overridden option and continues in strict mode:
warning: --enable-host-access was ignored (incompatible with --security-mode strict, the default).
Pass --security-mode compat to enable host access.
AWF continues to run with the incompatible option disabled. This prevents stale configurations from silently breaking workflows while making it clear what needs to change.
Key finding: sbx uses a different enforcement mechanism (daemon-level proxy, not Docker network topology). --security-mode strict needs to recognize this and not apply --network-isolation to microvm runtimes — they get equivalent protection through a different path.
MCP gateway compatibility
The MCP gateway (awmg-mcpg) must be launched as a bridge container (not --network host) for topology-attach to work. This is because Docker cannot connect a host-network container to a user-defined bridge.
Problem
AWF has evolved significantly: network-isolation mode, API proxy credential injection, topology-attach for MCP/DIFC peers, and container runtime options (sbx, gVisor) now provide a hardened, sudo-free security posture. But this posture is hidden behind a collection of flags that are all individually opt-in and default to off:
--network-isolationfalse--enable-api-proxyfalse--enable-host-accessfalse--enable-dindfalse--topology-attach[]0 out of 21 smoke tests use
--network-isolation. 19 out of 21 usesudo. The "modern" mode has near-zero CI coverage, while the legacy iptables mode is the de facto standard. This is backwards — the hardened mode should be the default, and the legacy mode should require explicit opt-in.Proposal:
--security-mode strict | compatIntroduce a single
--security-modeflag.strictis the default. Operators must explicitly opt into--security-mode compatto use the legacy iptables-based configuration.--security-mode strict(DEFAULT)Bundles:
internal: trueDocker network, Squid dual-homed as sole egress)NET_ADMIN)--enable-host-access)--enable-dind(rejects Docker socket passthrough)For microvm runtimes (sbx), strict mode uses
DOCKER_SANDBOXES_PROXY→ Squid instead of Docker network topology (sbx already enforces this without iptables).--security-mode compat(legacy, explicit opt-in)Preserves:
--enable-host-accessavailable--enable-dindavailable (with existing warnings)Strict mode takes precedence
When running in strict mode (the default), incompatible options are overridden and discarded with a clear warning. Strict mode always wins — it cannot be weakened by stale config files or copy-pasted flags from old documentation.
Incompatible options that are overridden in strict mode:
--enable-host-access/network.enableHostAccess→ ignored--enable-dind/container.enableDind→ ignored--dns-over-https(requires direct external connectivity) → ignored--no-network-isolationornetwork.isolation: false→ ignored--no-api-proxyorapiProxy.enabled: false→ ignoredWarning behavior: AWF logs a warning for each overridden option and continues in strict mode:
AWF continues to run with the incompatible option disabled. This prevents stale configurations from silently breaking workflows while making it clear what needs to change.
Behavior summary
awf --allow-domains x ...awf --security-mode strict ...awf --security-mode compat --enable-host-access ...awf --enable-host-access ...network.isolation: falseawf --security-mode strict --enable-host-access ...Runtime compatibility matrix
Validated via #6195 and existing
network-isolation-test.lock.yml:composeinternal: truenetwork + Squid dual-homednetwork-isolation-test.lock.yml)composepatchComposeWithTopologyHostscomposemicrovmDOCKER_SANDBOXES_PROXY→ Squid (daemon-level)Key finding: sbx uses a different enforcement mechanism (daemon-level proxy, not Docker network topology).
--security-mode strictneeds to recognize this and not apply--network-isolationto microvm runtimes — they get equivalent protection through a different path.MCP gateway compatibility
The MCP gateway (
awmg-mcpg) must be launched as a bridge container (not--network host) for topology-attach to work. This is because Docker cannot connect a host-network container to a user-defined bridge.Working configuration (validated in CI):
With
MCP_GATEWAY_DOMAIN="awmg-mcpg"(agent reaches gateway by container name onawf-net).Codebase assessment
The codebase is well-structured for this transition — moderate effort, not a major refactor.
Architecture (already clean)
cli-workflow.tshas a single if/else (28 lines) separating topology vs iptables paths — zero interleavingcompose-network.tsoptional-services.tsCode breakdown by mode
Implementation phases
--security-modeflag (default: strict)cli-options.ts,build-config.ts,infrastructure-validator.tsoptional-services.ts,excluded-vars.ts,agent-service.tsif (enableApiProxy)guards for strict pathsquid-service.tshost-iptables*.ts,cli-workflow.ts--security-mode compat, add sudo/NET_ADMIN fail-stopEstimated total: 3-4 days, high confidence of no regressions.
Tasks
--security-modeCLI option and config schema field (default:strict)--security-mode compatDOCKER_SANDBOXES_PROXY