Skip to content

feat: rename --security-mode to --legacy-security, deprecate --enable-api-proxy#6209

Merged
lpcox merged 7 commits into
mainfrom
feat/legacy-security-rename
Jul 14, 2026
Merged

feat: rename --security-mode to --legacy-security, deprecate --enable-api-proxy#6209
lpcox merged 7 commits into
mainfrom
feat/legacy-security-rename

Conversation

@lpcox

@lpcox lpcox commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Summary

Replaces the --security-mode strict|compat enum with a simple --legacy-security boolean flag and makes the API proxy unconditionally enabled.

Changes

New flag: --legacy-security

  • Boolean flag (no value needed)
  • Enables legacy security mode: sudo, host-access, iptables
  • Default (no flag) = strict security: network-isolation + API proxy

Deprecated: --security-mode

  • Still accepted for backward compatibility (hidden from --help)
  • --security-mode compat → maps to --legacy-security, emits deprecation warning
  • --security-mode strict → emits deprecation warning (strict is the default)

API proxy always enabled

  • --enable-api-proxy: emits deprecation warning, continues normally
  • --no-enable-api-proxy: hard error — API proxy cannot be disabled
  • API proxy is forced on in both strict and legacy modes
  • No real auth tokens are ever exposed to the agent container

Config file schema

  • security.securityModesecurity.legacySecurity (boolean)

Motivation

  • "compat" was ambiguous — "legacy" makes it clear this is a deprecated path
  • No "mode" concept — just a flag you enable or don't
  • API proxy is a security invariant, not a choice

Closes #6207

Related

…-api-proxy

Replace the --security-mode strict|compat enum with a simple --legacy-security
boolean flag. Strict security is the default and requires no flag. Legacy mode
must be explicitly opted into via --legacy-security.

Key changes:
- Add --legacy-security boolean flag (new primary interface)
- Keep --security-mode hidden for backward compatibility (emits deprecation warning)
- --enable-api-proxy: emit deprecation warning (API proxy is always enabled)
- --no-enable-api-proxy: hard error (API proxy cannot be disabled)
- API proxy is always forced on in both strict and legacy modes
- All warning messages updated to reference --legacy-security

The API proxy is now unconditionally enabled for credential isolation —
no real auth tokens (GITHUB_TOKEN, OPENAI_API_KEY, ANTHROPIC_API_KEY,
COPILOT_GITHUB_TOKEN) are ever exposed to the agent container.

Closes #6207

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
Copilot AI review requested due to automatic review settings July 14, 2026 00:05
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 98.93% 98.86% 📉 -0.07%
Statements 98.88% 98.82% 📉 -0.06%
Functions 99.34% 99.34% ➡️ +0.00%
Branches 95.15% 95.04% 📉 -0.11%
📁 Per-file Coverage Changes (3 files)
File Lines (Before → After) Statements (Before → After)
src/commands/build-config.ts 95.7% → 84.8% (-10.81%) 95.7% → 84.8% (-10.81%)
src/commands/validators/infrastructure-validator.ts 100.0% → 96.6% (-3.39%) 100.0% → 96.6% (-3.39%)
src/log-directory-setup.ts 96.2% → 100.0% (+3.78%) 96.3% → 100.0% (+3.71%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

1 similar comment
@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 98.93% 98.86% 📉 -0.07%
Statements 98.88% 98.82% 📉 -0.06%
Functions 99.34% 99.34% ➡️ +0.00%
Branches 95.15% 95.04% 📉 -0.11%
📁 Per-file Coverage Changes (3 files)
File Lines (Before → After) Statements (Before → After)
src/commands/build-config.ts 95.7% → 84.8% (-10.81%) 95.7% → 84.8% (-10.81%)
src/commands/validators/infrastructure-validator.ts 100.0% → 96.6% (-3.39%) 100.0% → 96.6% (-3.39%)
src/log-directory-setup.ts 96.2% → 100.0% (+3.78%) 96.3% → 100.0% (+3.71%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Replaces security modes with --legacy-security and makes API-proxy credential isolation mandatory.

Changes:

  • Adds the legacy-security flag and deprecated CLI compatibility paths.
  • Forces API proxy activation across security configurations.
  • Updates configuration types, mapping, validation tests, and integration fixtures.
Show a summary per file
File Description
tests/fixtures/awf-runner.ts Uses the new legacy flag.
src/types/security-options.ts Replaces the security-mode type.
src/config-mapper.ts Maps the new config property.
src/config-file.ts Updates the config interface.
src/commands/validators/security-mode.ts Enforces security defaults and deprecations.
src/commands/validators/security-mode.test.ts Tests updated enforcement behavior.
src/commands/validators/config-assembly.test-utils.ts Updates test defaults and mocks.
src/commands/validators/config-assembly-api-proxy.test.ts Reflects mandatory API proxy behavior.
src/commands/validate-options.test.ts Updates validation fixtures.
src/commands/build-config.ts Resolves new and deprecated options.
src/cli-options.ts Registers the new and compatibility flags.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 11/11 changed files
  • Comments generated: 5
  • Review effort level: Medium

Comment thread src/config-file.ts
};
security?: {
securityMode?: 'strict' | 'compat';
legacySecurity?: boolean;
Comment on lines +109 to +110
function handleApiProxyDeprecation(config: WrapperConfig): void {
if (config.enableApiProxy === false) {
Comment on lines +110 to +114
if (config.enableApiProxy === false) {
throw new Error(
'--no-enable-api-proxy is not allowed. The API proxy is always enabled for credential isolation.\n' +
'Remove the --no-enable-api-proxy flag from your command.',
);
Comment thread src/cli-options.ts Outdated
Comment on lines +302 to +304
.option(
'--enable-api-proxy',
'Enable API proxy sidecar for secure credential injection.\n' +
' Supports OpenAI (Codex) and Anthropic (Claude) APIs.'
'[DEPRECATED] The API proxy is always enabled. This flag is ignored.'
Comment thread src/commands/build-config.ts Outdated
Comment on lines +13 to +15
// Handle deprecated --security-mode flag
const securityMode = options.securityMode as string | undefined;
if (securityMode === 'compat') {
Tests the deprecated --security-mode compat/strict mapping and the new
--legacy-security boolean flag to restore coverage above baseline.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
@github-actions

Copy link
Copy Markdown
Contributor

✅ Copilot review passed with no inline comments.

@lpcox Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 98.93% 98.93% ➡️ +0.00%
Statements 98.88% 98.89% 📈 +0.01%
Functions 99.34% 99.34% ➡️ +0.00%
Branches 95.15% 95.10% 📉 -0.05%
📁 Per-file Coverage Changes (3 files)
File Lines (Before → After) Statements (Before → After)
src/commands/validators/infrastructure-validator.ts 100.0% → 96.6% (-3.39%) 100.0% → 96.6% (-3.39%)
src/commands/build-config.ts 95.7% → 97.0% (+1.31%) 95.7% → 97.0% (+1.31%)
src/log-directory-setup.ts 96.2% → 100.0% (+3.78%) 96.3% → 100.0% (+3.71%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

- Update awf-config-schema.json: add legacySecurity field, keep
  securityMode as deprecated for backward compat
- Stop mapping apiProxy.enabled from config file to avoid false CLI
  deprecation warnings (API proxy is unconditionally enabled)
- Replace throw with logger.error + process.exit(1) for proper error
  reporting through the CLI validation path
- Hide --enable-api-proxy and --no-enable-api-proxy from --help output
- Fix resolveLegacySecurity priority: --legacy-security now wins over
  deprecated --security-mode when both are specified
- Add config-mapper tests for securityMode → legacySecurity mapping
- Move API Proxy help section header to first visible option

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit fa702f5

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 98.93% 98.93% ➡️ +0.00%
Statements 98.88% 98.89% 📈 +0.01%
Functions 99.34% 99.34% ➡️ +0.00%
Branches 95.15% 95.08% 📉 -0.07%
📁 Per-file Coverage Changes (3 files)
File Lines (Before → After) Statements (Before → After)
src/commands/validators/infrastructure-validator.ts 100.0% → 96.6% (-3.39%) 100.0% → 96.6% (-3.39%)
src/commands/build-config.ts 95.7% → 97.1% (+1.49%) 95.7% → 97.1% (+1.49%)
src/log-directory-setup.ts 96.2% → 100.0% (+3.78%) 96.3% → 100.0% (+3.71%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

…tion path

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🔌 Smoke Services — All services reachable! ✅

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Smoke Claude passed

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Build Test Suite completed successfully!

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

Tests failed; no label added

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Contribution Check failed. Please review the logs for details.

@github-actions

Copy link
Copy Markdown
Contributor

🚀 Security Guard has started processing this pull request

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Smoke Gemini completed. All facets verified. 💎

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

📰 VERDICT: Smoke Docker Sbx has concluded. All systems operational. This is a developing story. 🎤

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 98.93% 98.96% 📈 +0.03%
Statements 98.88% 98.92% 📈 +0.04%
Functions 99.34% 99.34% ➡️ +0.00%
Branches 95.15% 95.11% 📉 -0.04%
📁 Per-file Coverage Changes (2 files)
File Lines (Before → After) Statements (Before → After)
src/commands/build-config.ts 95.7% → 97.1% (+1.49%) 95.7% → 97.1% (+1.49%)
src/log-directory-setup.ts 96.2% → 100.0% (+3.78%) 96.3% → 100.0% (+3.71%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test Results

Test Result
GitHub MCP connectivity ✅ (available)
GitHub.com HTTP ❌ (pre-step template vars not expanded)
File write/read ❌ (pre-step template vars not expanded)

Overall: FAIL — pre-computed step outputs were not injected into prompt.

PR author: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📰 BREAKING: Report filed by Smoke Copilot
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode

Test Result
GitHub.com Connectivity ✅ HTTP 200
File Write/Read
BYOK Inference
MCP Connectivity ⚠️ (gh not authenticated in sandbox)

Status: PASS (core BYOK path working)

Running in direct BYOK mode via api-proxy → api.githubcopilot.com

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK report filed by Smoke Copilot BYOK
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot PAT Auth

Test Result
GitHub MCP connectivity
GitHub.com HTTP ⚠️ pre-step data unavailable (template vars unexpanded)
File write/read ⚠️ pre-step data unavailable (template vars unexpanded)

Overall: PARTIAL — MCP reachable; pre-computed outputs not expanded.

Auth mode: PAT (COPILOT_GITHUB_TOKEN) | Author: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 PAT report filed by Smoke Copilot PAT
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Claude Engine Validation

Overall result: ✅ PASS

Check Result
API status ✅ PASS
gh check ✅ PASS
File status ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Smoke Claude for #6209 · 55.1 AIC · ⊞ 5.8K ·
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test Results

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke test results:\n- feat: add --security-mode strict|compat with strict as default ✅\n- feat: rename --security-mode to --legacy-security, deprecate --enable-api-proxy ✅\n- GitHub title check ✅\n- Discussion lookup/comment ✅\n- File write/read ✅\n- Build ✅\nOverall status: PASS

Warning

Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • awmgmcpg
  • registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

🔬 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario Result Notes
1. Module Loading ✅ Pass otel.js loads successfully; exports: startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
2. Test Suite ✅ Pass 59 tests passed across otel.test.js + otel-fanout.test.js (0 failures)
3. Env Var Forwarding ✅ Pass api-proxy-env-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration ✅ Pass onUsage callback exists in token-tracker-http.js as the OTEL hook point
5. OTEL Diagnostics ⏳ Pending Post-agent step; agent job still in progress at report time

Overall: All pre-step validations passed. OTEL tracing integration is functional.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

📡 OTel tracing validated by Smoke OTel Tracing
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Services Connectivity

  • Redis PING: ❌ (host.docker.internal DNS does not resolve; fallback to 127.0.0.1 → Connection refused)
  • PostgreSQL pg_isready: ❌ (no response on port 5432)
  • PostgreSQL SELECT 1: ❌ (connection refused)

Overall: FAIL — service containers are not reachable from this runner environment (host.docker.internal DNS unavailable, no default gateway detected).

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔌 Service connectivity validated by Smoke Services
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Chroot Version Comparison

Runtime Host Version Chroot Version Match?
Python Python 3.12.13 Python 3.12.3
Node.js v24.18.0 v22.23.1
Go go1.22.12 go1.22.12

Result: Not all tests passed — Python and Node.js versions differ between host and chroot.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Tested by Smoke Chroot
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

Smoke Test: Copilot BYOK (Direct) Mode — Azure OpenAI (Foundry, api-key)

  • GitHub MCP Testing: ✅
  • GitHub.com Connectivity: ✅
  • File Write/Read Test: ✅
  • BYOK Inference Test: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

CC: @lpcox

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

🔥 Smoke Test: Docker Sbx — PASS

Test Result
GitHub MCP connectivity
github.com HTTP (200)
File write/read

PR: feat: rename --security-mode to --legacy-security, deprecate --enable-api-proxy
Author: @lpcox

Overall: PASS

📰 BREAKING: Report filed by Smoke Docker Sbx
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

🏗️ Build Test Suite Results

Ecosystem Project Build/Install Tests Status
Bun elysia 1/1 passed ✅ PASS
Bun hono 1/1 passed ✅ PASS
C++ fmt N/A ✅ PASS
C++ json N/A ✅ PASS
Deno oak N/A 1/1 passed ✅ PASS
Deno std N/A 1/1 passed ✅ PASS
.NET hello-world N/A ✅ PASS
.NET json-parse N/A ✅ PASS
Go color all passed ✅ PASS
Go env all passed ✅ PASS
Go uuid all passed ✅ PASS
Java gson 1/1 passed ✅ PASS
Java caffeine 1/1 passed ✅ PASS
Node.js clsx all passed ✅ PASS
Node.js execa all passed ✅ PASS
Node.js p-limit all passed ✅ PASS
Rust fd 1/1 passed ✅ PASS
Rust zoxide 1/1 passed ✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by Build Test Suite for #6209 · 56.6 AIC · ⊞ 6.9K ·
Add label ready-for-aw to run again

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
@github-actions

Copy link
Copy Markdown
Contributor

test from agent

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)
Add label ready-for-aw to run again

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric Base PR Delta
Lines 98.93% 98.96% 📈 +0.03%
Statements 98.88% 98.92% 📈 +0.04%
Functions 99.34% 99.34% ➡️ +0.00%
Branches 95.15% 95.14% 📉 -0.01%
📁 Per-file Coverage Changes (2 files)
File Lines (Before → After) Statements (Before → After)
src/commands/build-config.ts 95.7% → 97.1% (+1.49%) 95.7% → 97.1% (+1.49%)
src/log-directory-setup.ts 96.2% → 100.0% (+3.78%) 96.3% → 100.0% (+3.71%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

Cover the AWF_DEBUG_TOKENS env var branch in build-config to push
overall branch coverage above the base threshold.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot-Session: 8dcc99fc-3d0e-40c5-8b75-bc43d9bf5dee
@github-actions

Copy link
Copy Markdown
Contributor

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 98.93% 98.96% 📈 +0.03%
Statements 98.88% 98.92% 📈 +0.04%
Functions 99.34% 99.34% ➡️ +0.00%
Branches 95.15% 95.16% ➡️ +0.01%
📁 Per-file Coverage Changes (2 files)
File Lines (Before → After) Statements (Before → After)
src/commands/build-config.ts 95.7% → 97.1% (+1.49%) 95.7% → 97.1% (+1.49%)
src/log-directory-setup.ts 96.2% → 100.0% (+3.78%) 96.3% → 100.0% (+3.71%)

Coverage comparison generated by scripts/ci/compare-coverage.ts

@lpcox lpcox merged commit 18817f9 into main Jul 14, 2026
24 checks passed
@lpcox lpcox deleted the feat/legacy-security-rename branch July 14, 2026 01:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Rename --security-mode to --legacy-security boolean flag

2 participants