API proxy does not forward to custom OPENAI_BASE_URL / ANTHROPIC_BASE_URL endpoints (e.g., internal LLM routers)

[Rubyj]

Description

When using the AWF sandbox with --enable-api-proxy, the API proxy overrides OPENAI_BASE_URL inside the agent container to point to its internal proxy (http://172.30.0.30:10000/v1). The proxy then forwards all requests to the hardcoded api.openai.com (or api.anthropic.com), ignoring any custom OPENAI_BASE_URL or ANTHROPIC_BASE_URL set by the user.

This makes it impossible to use AWF with internal/self-hosted LLM endpoints, such as corporate LLM routers or proxies that provide an OpenAI-compatible API.

Reproduction

1. Configure a workflow with a custom OPENAI_BASE_URL pointing to an internal endpoint:

engine:
  id: codex
  model: gpt-5.3-codex
  env:
    OPENAI_BASE_URL: "https://llm-router.internal.example.com/v1"
    OPENAI_API_KEY: ${{ secrets.LLM_ROUTER_KEY }}

2. Compile and run the workflow. The compiled lock file includes --enable-api-proxy automatically.

3. The AWF API proxy:

   • Overrides OPENAI_BASE_URL to http://172.30.0.30:10000/v1 inside the agent container
   • Strips OPENAI_API_KEY from the agent container (credential isolation)
   • Forwards all requests to api.openai.com instead of the custom endpoint

4. Result: 401 Unauthorized because the internal API key is sent to api.openai.com, which doesn't recognize it.

Evidence from logs

[health-check] ✓ OpenAI/Codex credentials NOT in agent environment (correct)
[health-check] Testing connectivity to OpenAI API proxy at http://172.30.0.30:10000/v1...
...
Request completed method=POST url=http://172.30.0.30:10000/v1/responses status=401 Unauthorized
headers={... "Domain=api.openai.com" ...}
Incorrect API key provided: sk-****

The Domain=api.openai.com in the response cookies confirms the proxy is forwarding to OpenAI's API, not our internal endpoint.

Expected behavior

The API proxy should respect the user-configured OPENAI_BASE_URL / ANTHROPIC_BASE_URL and forward requests to that endpoint instead of the hardcoded defaults. This would allow AWF's credential isolation and firewall features to work with:

• Corporate/internal LLM routers
• Azure OpenAI endpoints
• Self-hosted OpenAI-compatible APIs (e.g., vLLM, TGI, etc.)

Suggested implementation

A --openai-api-target <url> flag (similar to the existing --copilot-api-target <host> flag) that configures the API proxy's upstream for OpenAI requests. Similarly, --anthropic-api-target <url> for Anthropic.

The gh-aw compiler could automatically set these flags when it detects a custom OPENAI_BASE_URL or ANTHROPIC_BASE_URL in engine.env.

Current workaround

The only workaround is to disable the AWF sandbox entirely (sandbox.agent: false + strict: false + threat-detection: false), which removes all firewall protection and credential isolation. This is not ideal for production use.

Documentation reference

The API proxy limitations are documented at docs/api-proxy-sidecar.md:

• Only supports OpenAI and Anthropic APIs
• No support for Azure OpenAI endpoints

Environment

• gh-aw CLI: v0.53.6
• AWF: v0.23.0
• Engine: codex (OpenAI Codex CLI)
• Runner: Self-hosted (Amazon Linux 2023)

[Rubyj]

Agentic Implementation Plan

After researching the codebase and working on this, here is a complete implementation plan for a core team member to pick up.

Summary

When a workflow sets OPENAI_BASE_URL or ANTHROPIC_BASE_URL in engine.env (to route requests to an internal LLM endpoint), the compiler should extract the hostname and emit the corresponding --openai-api-target / --anthropic-api-target AWF flags — provided gh-aw-firewall PR #1247 is also merged first (which adds those flags to AWF).

Prerequisite: gh-aw-firewall PR #1247

See github/gh-aw-firewall#1247 — this adds --openai-api-target and --anthropic-api-target to AWF's CLI and proxy. The gh-aw change depends on it.

---

Implementation: pkg/workflow/awf_helpers.go

1. Add "net/url" to imports:

import (
    "fmt"
    "net/url"
    "sort"
    "strings"
    ...
)

2. In BuildAWFArgs(), after the --enable-api-proxy line (~line 190), add:

// If engine.env sets OPENAI_BASE_URL, extract the hostname and pass it as
// --openai-api-target so the API proxy forwards to the custom endpoint instead
// of the default api.openai.com.
engineEnv := getEngineEnvOverrides(config.WorkflowData)
if engineEnv != nil {
    if openaiBaseURL, ok := engineEnv["OPENAI_BASE_URL"]; ok && openaiBaseURL != "" {
        if host := extractHostname(openaiBaseURL); host != "" {
            awfArgs = append(awfArgs, "--openai-api-target", host)
            awfHelpersLog.Printf("Set --openai-api-target to %s from OPENAI_BASE_URL", host)
        }
    }
    if anthropicBaseURL, ok := engineEnv["ANTHROPIC_BASE_URL"]; ok && anthropicBaseURL != "" {
        if host := extractHostname(anthropicBaseURL); host != "" {
            awfArgs = append(awfArgs, "--anthropic-api-target", host)
            awfHelpersLog.Printf("Set --anthropic-api-target to %s from ANTHROPIC_BASE_URL", host)
        }
    }
}

3. Add the extractHostname helper function:

// extractHostname parses a URL and returns just the hostname (without scheme, path, or port).
// Returns an empty string if the URL is invalid or has no host, and logs a warning for non-empty invalid inputs.
func extractHostname(rawURL string) string {
    parsed, err := url.Parse(rawURL)
    if err != nil {
        if rawURL != "" {
            awfHelpersLog.Printf("Warning: failed to parse URL %q for hostname extraction: %v", rawURL, err)
        }
        return ""
    }

    hostname := parsed.Hostname()
    if hostname == "" {
        if rawURL != "" {
            awfHelpersLog.Printf("Warning: URL %q has no hostname component; skipping API target configuration", rawURL)
        }
        return ""
    }

    return hostname
}

---

Tests: pkg/workflow/enable_api_proxy_test.go

Add the following test functions:

// TestExtractHostname tests the extractHostname helper function.
func TestExtractHostname(t *testing.T) {
    tests := []struct {
        name     string
        input    string
        expected string
    }{
        {name: "full URL", input: "https://llm-router.internal.example.com/v1", expected: "llm-router.internal.example.com"},
        {name: "URL with port", input: "https://llm-router.internal.example.com:8443/v1", expected: "llm-router.internal.example.com"},
        {name: "plain hostname", input: "api.openai.com", expected: "api.openai.com"},
        {name: "empty string", input: "", expected: ""},
        {name: "URL without path", input: "https://example.com", expected: "example.com"},
    }
    for _, tc := range tests {
        t.Run(tc.name, func(t *testing.T) {
            result := extractHostname(tc.input)
            if result != tc.expected {
                t.Errorf("extractHostname(%q) = %q, want %q", tc.input, result, tc.expected)
            }
        })
    }
}

// TestAWFOpenAIApiTarget tests --openai-api-target emission
func TestAWFOpenAIApiTarget(t *testing.T) {
    t.Run("emits flag when OPENAI_BASE_URL set", func(t *testing.T) {
        workflowData := &WorkflowData{
            Name: "test-workflow",
            EngineConfig: &EngineConfig{
                ID: "codex",
                Env: map[string]string{"OPENAI_BASE_URL": "https://llm-router.internal.example.com/v1"},
            },
            NetworkPermissions: &NetworkPermissions{Firewall: &FirewallConfig{Enabled: true}},
        }
        engine := NewCodexEngine()
        steps := engine.GetExecutionSteps(workflowData, "test.log")
        if len(steps) == 0 { t.Fatal("Expected at least one step") }
        stepContent := strings.Join(steps[0], "\n")
        if !strings.Contains(stepContent, "--openai-api-target llm-router.internal.example.com") {
            t.Errorf("Expected --openai-api-target in command, got:\n%s", stepContent)
        }
    })
    t.Run("does not emit flag when absent", func(t *testing.T) {
        workflowData := &WorkflowData{
            Name: "test-workflow",
            EngineConfig: &EngineConfig{ID: "codex"},
            NetworkPermissions: &NetworkPermissions{Firewall: &FirewallConfig{Enabled: true}},
        }
        steps := NewCodexEngine().GetExecutionSteps(workflowData, "test.log")
        if len(steps) == 0 { t.Fatal() }
        if strings.Contains(strings.Join(steps[0], "\n"), "--openai-api-target") {
            t.Error("Should not emit --openai-api-target when OPENAI_BASE_URL absent")
        }
    })
    t.Run("does not emit flag for invalid URL", func(t *testing.T) {
        workflowData := &WorkflowData{
            Name: "test-workflow",
            EngineConfig: &EngineConfig{
                ID: "codex",
                Env: map[string]string{"OPENAI_BASE_URL": "://invalid"},
            },
            NetworkPermissions: &NetworkPermissions{Firewall: &FirewallConfig{Enabled: true}},
        }
        steps := NewCodexEngine().GetExecutionSteps(workflowData, "test.log")
        if len(steps) == 0 { t.Fatal() }
        if strings.Contains(strings.Join(steps[0], "\n"), "--openai-api-target") {
            t.Error("Should not emit --openai-api-target for invalid URL")
        }
    })
}

// TestAWFAnthropicApiTarget tests --anthropic-api-target emission
func TestAWFAnthropicApiTarget(t *testing.T) {
    t.Run("emits flag when ANTHROPIC_BASE_URL set", func(t *testing.T) {
        workflowData := &WorkflowData{
            Name: "test-workflow",
            EngineConfig: &EngineConfig{
                ID: "claude",
                Env: map[string]string{"ANTHROPIC_BASE_URL": "https://llm-router.internal.example.com/v1"},
            },
            NetworkPermissions: &NetworkPermissions{Firewall: &FirewallConfig{Enabled: true}},
        }
        steps := NewClaudeEngine().GetExecutionSteps(workflowData, "test.log")
        if len(steps) == 0 { t.Fatal() }
        if !strings.Contains(strings.Join(steps[0], "\n"), "--anthropic-api-target llm-router.internal.example.com") {
            t.Error("Expected --anthropic-api-target in command")
        }
    })
    t.Run("does not emit flag when absent", func(t *testing.T) {
        workflowData := &WorkflowData{
            Name: "test-workflow",
            EngineConfig: &EngineConfig{ID: "claude"},
            NetworkPermissions: &NetworkPermissions{Firewall: &FirewallConfig{Enabled: true}},
        }
        steps := NewClaudeEngine().GetExecutionSteps(workflowData, "test.log")
        if len(steps) == 0 { t.Fatal() }
        if strings.Contains(strings.Join(steps[0], "\n"), "--anthropic-api-target") {
            t.Error("Should not emit --anthropic-api-target when ANTHROPIC_BASE_URL absent")
        }
    })
}

---

Notes for the implementing agent

• The getEngineEnvOverrides helper already exists in engine_helpers.go -- use it
• net/url is a standard library package, no new dependency needed
• The AWF flags only emit when the sandbox is enabled (they're only meaningful with --enable-api-proxy)
• Run make agent-finish to validate