Wiring your machine

vulnetix ai-firewall install                 # every client the CLI detects
vulnetix ai-firewall install claude-code     # just one
vulnetix ai-firewall install codex continue  # several

Nothing is written until you have a provider key in the vault. See BYOK.

Tip

Always look before you leap.

vulnetix ai-firewall install --dry-run

Prints every file it would touch and what it would change, and writes nothing.

What gets written

ClientFileWhat goes in it
claude-code~/.claude/settings.jsonAn env block: base URL, auth token, and ANTHROPIC_API_KEY=""
codex~/.codex/config.tomlA [model_providers.vulnetix-openai] block with wire_api = "responses"
continue~/.continue/config.yaml + ~/.continue/.envA models[] entry, and the key (see below)
aider.aider.conf.ymlopenai-api-base and model
shell~/.zshrc, ~/.bashrc, ~/.config/fish/config.fishA managed block exporting the base URL and key. On Windows, user env via setx.
env.env, .envrc, or Makefile at the git rootThe same variables, project-scoped
cursorNothing. Prints instructions.
windsurfNothing. Prints instructions.

Everything written is inside a managed block, so uninstall can remove exactly what was added and nothing else.

The key is a reference, not a literal

The CLI writes $VULNETIX_API_KEY, not your key. A wired config is safe to commit.

Except Continue. ~/.continue/.env holds the literal key, because the IDE extension cannot read your shell environment. The CLI writes it chmod 600. If a literal key on a developer’s disk is unacceptable in your environment, do not wire Continue.

Flags worth knowing

--provider and --model

vulnetix ai-firewall install codex --provider openai --model gpt-4o-mini

Without --provider, the CLI wires every provider that has a stored key.

--model is validated against your organisation’s policy before anything is written. You cannot wire a model your policy would refuse — the CLI errors instead of handing you a config that 403s at runtime.

--scope user|project

user writes to your home directory. project writes into the repository you are standing in, so a checkout carries its own configuration.

--embed-key

Writes the literal key instead of a reference.

Warning

--embed-key into a path that is not git-ignored is a hard error. The CLI refuses to help you commit a secret.

Use it only where a client genuinely cannot read an environment variable — and know that you now have a key on disk. Audit with vulnetix secrets.

--create-env

By default, the env client only edits .env / .envrc / Makefile files that already exist. It will not litter a repository with new files. --create-env lets it create a .env.

Providers with no key are never wired

no provider is ready to wire: store a provider key first with
'vulnetix ai-firewall key set <provider>'

This is deliberate. Wiring a client to a provider with no key would produce a config that 403s on the first request with provider_key_missing — a worse outcome than refusing to write it.

Uninstalling

vulnetix ai-firewall uninstall claude-code    # one client
vulnetix ai-firewall uninstall --all          # everything
vulnetix ai-firewall uninstall --except codex # everything but one

You must name a selector — bare uninstall does nothing, on purpose.

uninstall needs no authentication and makes no network call. It only removes local files and managed blocks. It works when you are logged out, when your key is revoked, and when the gateway is unreachable — which is exactly when you most need it to work.

For manual clients (Cursor, Windsurf, Claude Desktop) it tells you what to undo, because it never wrote anything to begin with.

Package Firewall writes to the same shell rc

Note

Vulnetix’s Package Firewall is a different product, and it also writes a managed block to your shell rc. If you use both you will see two.

Each uninstall strips only its own marker. Removing the AI Firewall block never touches the Package Firewall one.

Then verify

vulnetix ai-firewall status

Every wired client should show wired, with no error-level checks. For manual clients the CLI cannot confirm anything — the absence of a warning is not evidence. Prove those end to end with a canary rule.