Wiring your machine
vulnetix ai-firewall install # every client the CLI detects
vulnetix ai-firewall install claude-code # just one
vulnetix ai-firewall install codex continue # several
Nothing is written until you have a provider key in the vault. See BYOK.
Always look before you leap.
vulnetix ai-firewall install --dry-run
Prints every file it would touch and what it would change, and writes nothing.
What gets written
| Client | File | What goes in it |
|---|---|---|
claude-code | ~/.claude/settings.json | An env block: base URL, auth token, and ANTHROPIC_API_KEY="" |
codex | ~/.codex/config.toml | A [model_providers.vulnetix-openai] block with wire_api = "responses" |
continue | ~/.continue/config.yaml + ~/.continue/.env | A models[] entry, and the key (see below) |
aider | .aider.conf.yml | openai-api-base and model |
shell | ~/.zshrc, ~/.bashrc, ~/.config/fish/config.fish | A managed block exporting the base URL and key. On Windows, user env via setx. |
env | .env, .envrc, or Makefile at the git root | The same variables, project-scoped |
cursor | — | Nothing. Prints instructions. |
windsurf | — | Nothing. Prints instructions. |
Everything written is inside a managed block, so uninstall can remove exactly what
was added and nothing else.
The key is a reference, not a literal
The CLI writes $VULNETIX_API_KEY, not your key. A wired config is safe to commit.
Except Continue. ~/.continue/.env holds the literal key, because the IDE extension
cannot read your shell environment. The CLI writes it chmod 600. If a literal key on a
developer’s disk is unacceptable in your environment, do not wire Continue.
Flags worth knowing
--provider and --model
vulnetix ai-firewall install codex --provider openai --model gpt-4o-mini
Without --provider, the CLI wires every provider that has a stored key.
--model is validated against your organisation’s policy before anything is
written. You cannot wire a model your policy would refuse — the CLI errors instead of
handing you a config that 403s at runtime.
--scope user|project
user writes to your home directory. project writes into the repository you are
standing in, so a checkout carries its own configuration.
--embed-key
Writes the literal key instead of a reference.
--embed-key into a path that is not git-ignored is a hard error. The CLI refuses
to help you commit a secret.
Use it only where a client genuinely cannot read an environment variable — and know that
you now have a key on disk. Audit with vulnetix secrets.
--create-env
By default, the env client only edits .env / .envrc / Makefile files that
already exist. It will not litter a repository with new files. --create-env lets it
create a .env.
Providers with no key are never wired
no provider is ready to wire: store a provider key first with
'vulnetix ai-firewall key set <provider>'
This is deliberate. Wiring a client to a provider with no key would produce a config that
403s on the first request with provider_key_missing — a worse outcome than refusing
to write it.
Uninstalling
vulnetix ai-firewall uninstall claude-code # one client
vulnetix ai-firewall uninstall --all # everything
vulnetix ai-firewall uninstall --except codex # everything but one
You must name a selector — bare uninstall does nothing, on purpose.
uninstall needs no authentication and makes no network call. It only removes local
files and managed blocks. It works when you are logged out, when your key is revoked, and
when the gateway is unreachable — which is exactly when you most need it to work.
For manual clients (Cursor, Windsurf, Claude Desktop) it tells you what to undo, because it never wrote anything to begin with.
Package Firewall writes to the same shell rc
Vulnetix’s Package Firewall is a different product, and it also writes a managed block to your shell rc. If you use both you will see two.
Each uninstall strips only its own marker. Removing the AI Firewall block never
touches the Package Firewall one.
Then verify
vulnetix ai-firewall status
Every wired client should show wired, with no error-level checks. For manual clients
the CLI cannot confirm anything — the absence of a warning is not evidence. Prove those
end to end with a canary rule.
Related
- Coding agents — the per-client tutorials.
- Status & checks — reading the output.
- BYOK — the key that must exist first.