Documentation

Coding Agents

Put Claude Code, Claude Desktop, Codex CLI, Cursor, Continue, Aider and every other OpenAI-compatible agent behind the firewall — and know exactly which of their traffic does not go through it.

A coding agent is the hardest LLM client to govern, because it does not only send what you type. It sends the files it reads, the output of the commands it runs, and the diffs it produces — all as ordinary prompt content. Putting an agent behind the firewall means that content is screened by your guardrails before it leaves the machine, your provider key never sits in the agent’s config, and the agent cannot quietly switch to a model your organisation has not approved.

Every agent on this page talks to the gateway over its native wire protocol. There is no local proxy, no daemon, and no shim to install. You change a base URL and a key, and that is the whole integration.

Compatibility matrix

AgentSurfaceCLI-wired?MechanismCaveats
Claude CodemessagesYes — install claude-code~/.claude/settings.json env block, or shell exportsANTHROPIC_API_KEY must be set to an empty string; /logout first if a previous Anthropic login is cached
Claude DesktopmessagesNo — manualBuilt-in third-party gateway, behind developer modeRequires a full restart, then Continue with Gateway on the start screen
Codex CLIresponsesYes — install codex~/.codex/config.toml, a [model_providers.*] blockRequires wire_api = "responses"; only the openai provider serves it
CursorchatNo — manualSettings → Models → API KeysTab completions and Auto mode do not route through your key. Agent-mode tool calls may fail
ContinuechatYes — install continue~/.continue/config.yaml + ~/.continue/.envThe .env holds the literal key (the IDE cannot read your shell env)
AiderchatYes — install aider.aider.conf.ymlNone once wired
WindsurfchatNo — manualModel / API-key settings panelSame class of gaps as Cursor: its own built-in completion features are not BYOK
Cline, Roo Code, Zed, …chatNoAny “OpenAI-compatible provider” fieldGeneric recipe: base URL + key
OpenCode, Hermes Agent, OpenClawchat (expected)NoTheir own config filesUnverified against the gateway. May work — tell us if it does
Junie (JetBrains)NoNot supported. Its provider is vendor-hardcoded and it offers no base-URL override
Warning Read the caveats column as a compliance statement, not a footnote. Cursor’s tab completions never touch the firewall, and neither does its Auto mode — that is a limit of Cursor, not of the gateway. If your control narrative says “100% of agent traffic is screened”, Cursor breaks it.

Tutorials

What the guardrails see

Guardrails run identically on all three request surfaces — chat, responses and messages — so a rule you write once covers a curl, a Codex turn and a Claude Code tool result alike. You never write a policy per agent.

For agents specifically, the important property is that tool results are scanned. When an agent reads a file or runs a command and feeds the output back into the conversation, that content is a prompt segment like any other and goes through your guardrails on the next turn. A secret in a .env the agent happened to cat is caught on the way out.

Warning Known gap, stated once: the arguments the model generates for a tool call are not scanned. If the model writes a shell command or a file body as tool-call arguments, that content is not screened. Everything the agent sends as ordinary prompt content — including the results it gets back — is.

When a guardrail blocks a request, the gateway answers 403 with code: request_blocked and blocked_by: <rule name>, rendered in the dialect of whatever client asked. Your agent prints a readable error, not a bare status code.

How the CLI wires a client

vulnetix ai-firewall install claude-code codex aider

install takes one or more client ids (or none, to wire every client it detects). For each one it writes a managed block into that client’s own config file — the base URL for your organisation, and a reference to the VULNETIX_API_KEY environment variable. It never invents settings the client does not have.

Before it writes anything, it checks:

  • A provider must have a stored key. Providers with no key in the BYOK vault are never wired. If none are ready you get: no provider is ready to wire: store a provider key first with 'vulnetix ai-firewall key set <provider>'
  • --model is validated against your organisation’s policy before the file is touched, so you cannot wire a model your org would refuse at request time.
  • --embed-key refuses to write a literal key into a path that is not git-ignored. It is a hard error, not a warning — it will not help you commit a secret.

Useful flags: --provider (repeatable), --model, --scope user|project, --dry-run, --embed-key, --create-env, --gateway-url.

To undo:

vulnetix ai-firewall uninstall claude-code       # one client
vulnetix ai-firewall uninstall --all             # every client
vulnetix ai-firewall uninstall --all --except codex

uninstall removes only the managed block. It needs no authentication and touches nothing but local files.

Note package-firewall is a different Vulnetix product, and it also writes a managed block to the same shell rc file. Seeing two Vulnetix blocks in your ~/.zshrc is expected and correct. Each product’s uninstall strips only its own marker, so removing one never disturbs the other.

Where to look when something is wrong

vulnetix ai-firewall status

status lists every provider and whether a key is stored, every local client it detected and whether it is wired, points elsewhere, not wired, manual or not installed, and a set of checks. The one to read first is bypasses_firewall — a client on your machine that is configured to talk to a provider directly. The others are provider_denied, provider_key_missing, model_denied, model_not_allowed, wire_unsupported, key_env_unset and guardrail_pattern_invalid.

Claude Code
Put Anthropic's agentic CLI behind the firewall — one command, or three environment variables. The Messages base URL takes no /v1 suffix.
Claude Desktop
Route Claude Desktop through the firewall using its built-in third-party gateway feature. No proxy, no CLI — but it is a manual setup, hidden behind developer mode.
Codex CLI
Put OpenAI's Codex CLI behind the firewall. It requires the Responses API, which only the openai provider serves — the CLI writes the config.toml block for you.
Cursor
Point Cursor's OpenAI provider at the firewall. Read the limitations first — Cursor's tab completions and Auto mode never route through your key, and that is a compliance gap you must know about.
Continue
Wire the Continue extension for VS Code and JetBrains to the firewall. CLI-wired — but the key lands in a file, because an IDE extension cannot read your shell environment.
Aider
Wire Aider to the firewall with .aider.conf.yml. CLI-wired, per-repository or per-user, and nothing it sends bypasses the gateway.
Windsurf
Point Windsurf's OpenAI-compatible provider at the firewall. Manual setup, and — like Cursor — its own built-in completion features are not covered by your key.
Other clients
The generic recipe for any OpenAI-compatible client — Cline, Roo Code, Zed and the rest. Plus the clients we have not verified, and the one that cannot be supported at all.
Agents in CI/CD
Run coding agents in CI behind the firewall. One repository secret, the same base URL, and a status gate that fails the build if the agent is not wired.