docs: add missing container configuration flags to CLI reference#1610
docs: add missing container configuration flags to CLI reference#1610
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the AWF CLI reference documentation to include several previously-undocumented container/configuration flags that already exist in src/cli.ts, improving completeness of the docs-site CLI reference.
Changes:
- Added missing flags to the Options Summary table (
--ruleset-file,--agent-timeout,--env-file,--memory-limit,--audit-dir). - Added/expanded detailed sections for
--exclude-env,--env-file,--memory-limit,--agent-timeout,--audit-dir, and--ruleset-file. - Documented a YAML ruleset schema for domain allowlisting.
Comments suppressed due to low confidence (1)
docs-site/src/content/docs/reference/cli-reference.md:133
- The field description for
subdomainsimplies it controls whether subdomains are allowed, but per current code (src/rules.ts+ Squid domain normalization) subdomain matching is always enabled and this flag has no effect. Adjust the schema docs so users don't assumesubdomains: falsewill narrow the allowlist.
| `domain` | Yes | — | Domain name to allow |
| `subdomains` | No | `true` | Whether to also allow all subdomains |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - domain: github.com | ||
| subdomains: true # default: true — also allows *.github.com | ||
| - domain: example.com | ||
| subdomains: false # exact match only | ||
| ``` |
There was a problem hiding this comment.
The subdomains: false example ("exact match only") is not accurate with the current implementation. In src/rules.ts, subdomains is parsed but expandRule() always returns the bare domain (subdomain matching is always enabled via Squid domain normalization), so subdomains: false does not restrict to exact matches. Please update the docs to reflect current behavior (e.g., mark subdomains as reserved/no-op for now, or remove the exact-match wording) or update the implementation to actually enforce exact-match semantics.
This issue also appears on line 131 of the same file.
Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/3205fc6a-2852-4cee-bc87-7ada09a9761e Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/3205fc6a-2852-4cee-bc87-7ada09a9761e Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Mossaka
force-pushed
the
copilot/add-container-configuration-flags
branch
from
c0f13f7 to
b65f3a5
Compare
The CLI reference page was missing six flags that exist in
src/cli.ts.Options Summary table
Added
--ruleset-file,--agent-timeout,--env-file,--memory-limit, and--audit-dirrows.Options Details sections
Added detailed documentation for all six flags:
--exclude-env <name>— was in summary table but had no details section. Documents security use with--env-all.--env-file <path>— KEY=VALUE file format with comment support.--memory-limit <limit>—<number><unit>format (b/k/m/g), default6g.--agent-timeout <minutes>— positive integer, no limit by default.--audit-dir <path>— configs, policy manifest, iptables state. Also settable viaAWF_AUDIT_DIR.--ruleset-file <path>— YAML schema documented with field table:All descriptions verified against flag definitions in
src/cli.tsand schema insrc/rules.ts.