// Practical Python scripts for debugging awf - parse logs, diagnose issues, inspect containers, test domains
Use the AWF (Agentic Workflow Firewall) to run commands with network isolation and domain whitelisting. Provides L7 HTTP/HTTPS egress control for AI agents.
Regenerate and post-process all agentic workflows. Use when gh-aw is updated, workflow .md files change, or when asked to recompile/regenerate workflows.
Use the AWF (Agentic Workflow Firewall) to run commands with network isolation and domain whitelisting. Provides L7 HTTP/HTTPS egress control for AI agents.
Debug the AWF firewall by inspecting Docker containers (awf-squid, awf-agent), analyzing Squid access logs, checking iptables rules, and troubleshooting blocked domains or network issues.
Debug GitHub Actions workflows by downloading logs, analyzing summaries, and understanding how agentic workflows and the AWF firewall work together.
| name | awf-debug-tools |
| description | Practical Python scripts for debugging awf - parse logs, diagnose issues, inspect containers, test domains |
| allowed-tools | Bash(python:*), Bash(docker:*), Bash(sudo:*), Read |
A collection of practical Python scripts that help agents efficiently debug and operate the awf firewall. These scripts reduce verbose Docker/log output by 80%+ and provide actionable insights instead of raw data dumps.
Problem: Docker commands and log files are verbose and hard for agents to parse. Diagnosing issues requires 10+ manual commands and produces noisy output that wastes tokens.
Solution: One script replaces 5-10 manual commands with clean, filtered output optimized for agent consumption. All scripts support JSON format for easy parsing.
All scripts are located in .claude/skills/awf-debug-tools/scripts/:
# Auto-discover logs and show all domains
python .claude/skills/awf-debug-tools/scripts/parse-squid-logs.py
# Show only blocked domains
python .claude/skills/awf-debug-tools/scripts/parse-squid-logs.py --blocked-only
# Filter by domain
python .claude/skills/awf-debug-tools/scripts/parse-squid-logs.py --domain github.com
# Show top 10, JSON output
python .claude/skills/awf-debug-tools/scripts/parse-squid-logs.py --top 10 --format json
# Quick health check
python .claude/skills/awf-debug-tools/scripts/diagnose-awf.py
# Detailed output
python .claude/skills/awf-debug-tools/scripts/diagnose-awf.py --verbose
# JSON output for agent parsing
python .claude/skills/awf-debug-tools/scripts/diagnose-awf.py --format json
# Inspect all containers
python .claude/skills/awf-debug-tools/scripts/inspect-containers.py
# Specific container only
python .claude/skills/awf-debug-tools/scripts/inspect-containers.py --container awf-squid
# Show only logs
python .claude/skills/awf-debug-tools/scripts/inspect-containers.py --logs-only
# JSON output
python .claude/skills/awf-debug-tools/scripts/inspect-containers.py --format json
# Test if domain is allowed
python .claude/skills/awf-debug-tools/scripts/test-domain.py github.com
# Test blocked domain with fix suggestion
python .claude/skills/awf-debug-tools/scripts/test-domain.py npmjs.org --suggest-fix
# Check allowlist only (no log lookup)
python .claude/skills/awf-debug-tools/scripts/test-domain.py api.github.com --check-allowlist
# JSON output
python .claude/skills/awf-debug-tools/scripts/test-domain.py github.com --format json
When a command fails due to blocked domain:
# 1. Run diagnostics to check overall health
python .claude/skills/awf-debug-tools/scripts/diagnose-awf.py
# 2. Parse logs to find which domains were blocked
python .claude/skills/awf-debug-tools/scripts/parse-squid-logs.py --blocked-only
# 3. Test specific domain and get fix suggestion
python .claude/skills/awf-debug-tools/scripts/test-domain.py npmjs.org --suggest-fix
# 4. Apply the suggested fix
sudo awf --allow-domains github.com,npmjs.org 'your-command'
When containers aren't starting or behaving unexpectedly:
# 1. Check container status and recent logs
python .claude/skills/awf-debug-tools/scripts/inspect-containers.py
# 2. Run full diagnostics
python .claude/skills/awf-debug-tools/scripts/diagnose-awf.py --verbose
# 3. If issues found, check Squid logs for errors
python .claude/skills/awf-debug-tools/scripts/parse-squid-logs.py
For agents to diagnose issues without human intervention:
# Run all checks with JSON output
python .claude/skills/awf-debug-tools/scripts/diagnose-awf.py --format json | jq .
# Parse blocked domains
python .claude/skills/awf-debug-tools/scripts/parse-squid-logs.py --blocked-only --format json | jq .
# Test each blocked domain
python .claude/skills/awf-debug-tools/scripts/test-domain.py npmjs.org --format json | jq .
All scripts support two output formats:
Use --format json to get structured output that's easy to parse programmatically.
All scripts use consistent exit codes:
All scripts use Python 3.8+ stdlib only. No pip install required. They work out of the box on any system with Python 3.8+.
Purpose: Extract blocked domains from Squid logs with counts and statistics.
Key Options:
--blocked-only - Show only blocked domains--domain DOMAIN - Filter by specific domain--top N - Show top N domains by request count--format {table,json} - Output formatAuto-discovers logs from running containers, preserved logs, or work directories.
Purpose: Run automated diagnostic checks and report issues with fixes.
Checks:
Key Options:
--verbose - Show detailed check output--format {text,json} - Output formatPurpose: Show concise container status without verbose docker output.
Shows:
Key Options:
--container NAME - Inspect specific container only--logs-only - Show only recent logs--tail N - Number of log lines (default: 5)--format {text,json} - Output formatPurpose: Test if domain is reachable through the firewall.
Checks:
Key Options:
--check-allowlist - Only check allowlist, don't check logs--suggest-fix - Show suggested --allow-domains flag--format {text,json} - Output formatdebug-firewall skillawf-mcp-gateway skilldocs/troubleshooting.mdAll scripts are designed for fast execution:
parse-squid-logs.py: <2 seconds for typical log filesdiagnose-awf.py: <3 seconds for all checksinspect-containers.py: <2 seconds for both containerstest-domain.py: <1 second for domain check$ python .claude/skills/awf-debug-tools/scripts/parse-squid-logs.py --blocked-only
Blocked Domains (sorted by count):
Domain Blocked Allowed Total
=================================================
registry.npmjs.org 45 0 45
example.com 12 0 12
Total requests: 1234
Blocked: 57 (4.6%)
Allowed: 1177 (95.4%)
$ python .claude/skills/awf-debug-tools/scripts/diagnose-awf.py
AWF Diagnostic Report
========================================
[✓] Containers: awf-squid (running), awf-agent (exited:0)
[✓] Health: Squid healthy
[✓] Network: awf-net exists ([{Subnet:172.30.0.0/24 Gateway:172.30.0.1}])
[✓] Connectivity: Squid reachable on 172.30.0.10:3128
[✓] DNS: DNS servers: 127.0.0.11, 8.8.8.8, 8.8.4.4
[✓] Config: 3 domains in allowlist (github.com, .github.com, api.github.com)
Summary: All checks passed ✓
$ python .claude/skills/awf-debug-tools/scripts/test-domain.py npmjs.org --suggest-fix
Testing: npmjs.org
[✗] Allowlist check: Not in allowlist
[✗] Reachability: Blocked (403 TCP_DENIED:HIER_NONE)
[✗] Status: BLOCKED
Suggested fix:
awf --allow-domains github.com,npmjs.org 'your-command'
--format json | jq .Script not found:
# Use absolute path
python /home/mossaka/developer/gh-aw-repos/gh-aw-firewall/.claude/skills/awf-debug-tools/scripts/parse-squid-logs.py
Permission denied on logs:
# Squid logs require sudo to read
sudo python .claude/skills/awf-debug-tools/scripts/parse-squid-logs.py --log-file /tmp/squid-logs-*/access.log
No logs found:
# Run awf first to generate logs
sudo awf --allow-domains github.com 'curl https://api.github.com'
# Then parse
python .claude/skills/awf-debug-tools/scripts/parse-squid-logs.py
Planned scripts for future versions:
analyze-traffic.py - Analyze traffic patterns over timegenerate-allowlist.py - Auto-generate allowlist from logscleanup-awf.py - Clean up orphaned resourcesbenchmark-awf.py - Performance testing utilities