docs: expand README to reflect AWF feature scope and command surface

[Copilot]

✨ Enhancement

The README described AWF accurately at a high level but underrepresented the implemented product surface, omitting major CLI capabilities, operational subcommands, and GitHub Action usage. This update makes the landing page reflect real scope without duplicating full reference docs.

• What does this improve?

  • Adds a Feature highlights section summarizing major implemented capabilities across config, security, API proxy, and infrastructure.
  • Adds a CLI subcommands section covering awf predownload and awf logs with stats, summary, and audit.
  • Adds a GitHub Action quick start showing uses: github/gh-aw-firewall@v1.
  • Adds an explicit pointer to awf --help for full CLI discovery.
  • Refreshes requirements wording to explicitly mention Linux x86_64 and arm64 support.

• Why is this valuable?

  • Gives first-time readers an accurate mental model of AWF breadth from the top-level README.
  • Reduces feature discoverability gaps while keeping detailed flag-level documentation in docs/.

• Implementation approach:

  • README-only, surgical documentation edits:
    • New sections: Feature highlights, CLI subcommands, GitHub Action quick start
    • Minor requirements line update for architecture clarity
    • Cross-links preserved to existing deep-dive docs

steps:
  - uses: actions/checkout@v4
  - name: Setup AWF
    uses: github/gh-aw-firewall@v1
  - name: Run command through firewall
    run: sudo awf --allow-domains github.com,api.github.com -- curl https://api.github.com

[github-actions]

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit 97116d7

[Copilot]

Pull request overview

Updates the top-level README to better reflect the Agentic Workflow Firewall (AWF) feature surface and operational entry points, improving first-time discoverability without duplicating the deeper docs.

Changes:

• Expands requirements wording to explicitly mention Linux x86_64 and arm64 support.
• Adds a “Feature highlights” section summarizing major implemented capabilities (config, security, API proxy, infra, ops).
• Adds a brief CLI subcommand overview and a GitHub Action quick start snippet.

Show a summary per file

File	Description
README.md	Adds feature/CLI/Action highlights and clarifies supported Linux architectures to better match AWF’s implemented scope.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 2

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

Addressed in commit d9cd947. I updated README to clarify that --allow-urls requires --ssl-bump, and that awf logs audit requires policy-manifest.json (typically produced via --audit-dir).

[github-actions]

Smoke Test Results

• ❌ GitHub API: HTTP 401 credentials error
• ✅ Playwright: Navigation to github.com confirmed (title contains "GitHub")
• ✅ File verify: /tmp/gh-aw/agent/smoke-test-claude-25923510543.txt exists

Result: 2/3 PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔬 Smoke Test Results — PR #3214

Test	Result
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP connectivity	❌ Template var unresolved
File write/read	❌ Template var unresolved

Overall: FAIL — Pre-step outputs (steps.smoke-data.outputs.*) were not substituted; workflow step likely did not run or outputs were not set. GitHub MCP token also returned 401.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test Codex 25923510576
PRs: Refactor api-proxy SIGTERM/SIGINT shutdown flow into a shared handler; Cap /reflect effective-token totals at configured maxEffectiveTokens
GitHub PR review ✅ | safeinputs-gh ❌ | Playwright ✅ | Tavily ❌
File/bash ✅ | Discussion ❌ | Build ✅
Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🔥 Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ 401 Bad credentials (MCP token unavailable)
GitHub.com HTTP connectivity	⚠️ Pre-step data not injected (template vars unresolved)
File write/read	⚠️ Pre-step data not injected (template vars unresolved)
BYOK inference (agent → api-proxy → api.githubcopilot.com)	✅ Confirmed — agent is responding

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: PARTIAL — BYOK inference works; pre-step smoke data was not passed to the agent (unresolved ${{ steps.smoke-data.outputs.* }} variables in the prompt).

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test Results

• GitHub MCP Testing: ❌ (Tool missing)
• GitHub.com Connectivity: ❌ (Status 000)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3214 · ● 4.9M · ◷

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

Check	Result
Redis PING	❌ timeout (no response on host.docker.internal:6379)
PostgreSQL pg_isready	❌ no response on host.docker.internal:5432
PostgreSQL SELECT 1	❌ skipped (pg_isready failed)

Overall: FAIL — Service containers are not reachable via host.docker.internal from this runner environment.

🔌 Service connectivity validated by Smoke Services