From df73ab4aa86b113c5ec3df91409578cd734ba917 Mon Sep 17 00:00:00 2001
From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com>
Date: Fri, 13 Feb 2026 05:04:28 +0000
Subject: [PATCH 1/2] Initial plan


From a784a8dfe87a2f1c4cdf2d07e5d4e4af52190cec Mon Sep 17 00:00:00 2001
From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com>
Date: Fri, 13 Feb 2026 05:07:32 +0000
Subject: [PATCH 2/2] fix(firewall): add api-proxy to allowed domains when
 enabled

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
---
 src/docker-manager.test.ts | 51 ++++++++++++++++++++++++++++++++++++++
 src/docker-manager.ts      |  7 +++++-
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/src/docker-manager.test.ts b/src/docker-manager.test.ts
index 7b1150217..7b05b7467 100644
--- a/src/docker-manager.test.ts
+++ b/src/docker-manager.test.ts
@@ -1854,6 +1854,57 @@ describe('docker-manager', () => {
         process.env.SUDO_USER = originalSudoUser;
       }
     });
+
+    it('should include api-proxy in allowed domains when enableApiProxy is true', async () => {
+      const config: WrapperConfig = {
+        allowedDomains: ['github.com'],
+        agentCommand: 'echo test',
+        logLevel: 'info',
+        keepContainers: false,
+        workDir: testDir,
+        enableApiProxy: true,
+        openaiApiKey: 'sk-test-key',
+      };
+
+      try {
+        await writeConfigs(config);
+      } catch {
+        // May fail after writing configs
+      }
+
+      // Verify squid.conf includes api-proxy in allowed domains
+      const squidConfPath = path.join(testDir, 'squid.conf');
+      if (fs.existsSync(squidConfPath)) {
+        const content = fs.readFileSync(squidConfPath, 'utf-8');
+        expect(content).toContain('github.com');
+        expect(content).toContain('api-proxy');
+      }
+    });
+
+    it('should not include api-proxy in allowed domains when enableApiProxy is false', async () => {
+      const config: WrapperConfig = {
+        allowedDomains: ['github.com'],
+        agentCommand: 'echo test',
+        logLevel: 'info',
+        keepContainers: false,
+        workDir: testDir,
+        enableApiProxy: false,
+      };
+
+      try {
+        await writeConfigs(config);
+      } catch {
+        // May fail after writing configs
+      }
+
+      // Verify squid.conf does not include api-proxy when disabled
+      const squidConfPath = path.join(testDir, 'squid.conf');
+      if (fs.existsSync(squidConfPath)) {
+        const content = fs.readFileSync(squidConfPath, 'utf-8');
+        expect(content).toContain('github.com');
+        expect(content).not.toContain('api-proxy');
+      }
+    });
   });
 
   describe('startContainers', () => {
diff --git a/src/docker-manager.ts b/src/docker-manager.ts
index ffb3b1100..53aaffc59 100644
--- a/src/docker-manager.ts
+++ b/src/docker-manager.ts
@@ -1112,8 +1112,13 @@ export async function writeConfigs(config: WrapperConfig): Promise<void> {
 
   // Write Squid config
   // Note: Use container path for SSL database since it's mounted at /var/spool/squid_ssl_db
+  // When API proxy is enabled, add api-proxy to allowed domains so agent can communicate with it
+  const domainsForSquid = config.enableApiProxy && networkConfig.proxyIp
+    ? [...config.allowedDomains, 'api-proxy']
+    : config.allowedDomains;
+
   const squidConfig = generateSquidConfig({
-    domains: config.allowedDomains,
+    domains: domainsForSquid,
     blockedDomains: config.blockedDomains,
     port: SQUID_PORT,
     sslBump: config.sslBump,