feat: add byok-copilot feature flag for Copilot CLI offline BYOK mode

[lpcox]

Summary

Add a byok-copilot feature flag that configures the compiler to set up Copilot CLI in offline BYOK mode with the api-proxy sidecar and cli-proxy. When enabled, the compiled workflow should automatically:

1. Set COPILOT_API_KEY as a dummy placeholder in the agent environment (triggering AWF's BYOK detection)
2. Enable the api-proxy sidecar (--enable-api-proxy) which holds the real COPILOT_GITHUB_TOKEN credential
3. Enable cli-proxy (features.cli-proxy: true) for authenticated gh CLI access
4. Set COPILOT_OFFLINE=true so Copilot CLI skips GitHub OAuth and uses the sidecar
5. Set COPILOT_PROVIDER_BASE_URL to point at the api-proxy sidecar (port 10002)
6. Use the latest Copilot CLI version (not a pinned version) via install_copilot_cli.sh

Motivation

We validated this pattern end-to-end in gh-aw-firewall PR #2006 with the smoke-copilot-byok workflow. The successful CI run (run 24488563695) confirmed:

• Copilot CLI 1.0.28 running with claude-opus-4.6 model via the Copilot API
• Agent sees only a dummy COPILOT_API_KEY — real credentials never enter the sandbox
• Inference path: agent → api-proxy sidecar (port 10002) → Squid proxy → api.githubcopilot.com
• api-proxy injects both Authorization and Copilot-Integration-Id headers
• All 4 smoke tests passed: MCP tools, GitHub.com connectivity, file I/O, BYOK inference

Currently, setting this up requires manual frontmatter configuration:

engine: copilot
env:
  COPILOT_API_KEY: dummy-byok-key-for-offline-mode
features:
  cli-proxy: true

Plus AWF's docker-manager.ts handles the runtime detection (setting COPILOT_OFFLINE, COPILOT_PROVIDER_BASE_URL, credential exclusion). But the workflow author has to know about all these pieces.

Proposed Feature Flag

engine: copilot
features:
  byok-copilot: true

When byok-copilot: true is set, the compiler should automatically:

Setting	Value	Why
COPILOT_API_KEY	dummy-byok-key-for-offline-mode	Triggers AWF's BYOK detection logic
--enable-api-proxy	enabled	Starts the credential-holding sidecar
features.cli-proxy	true	Enables authenticated gh CLI via DIFC proxy
COPILOT_GITHUB_TOKEN	excluded from agent env	Credential isolation — only sidecar sees it
Copilot CLI version	latest (no pin)	Always use the newest release
network.allowed	add api.githubcopilot.com and related domains	Required for inference traffic

The COPILOT_OFFLINE and COPILOT_PROVIDER_BASE_URL env vars are already handled at runtime by AWF's docker-manager.ts when it detects COPILOT_API_KEY in the config — no compiler changes needed for those.

Copilot API Model Compatibility

Based on testing with the /models endpoint (api.githubcopilot.com/models), the following models are available:

• ✅ claude-opus-4.6, claude-sonnet-4.6, claude-sonnet-4.5, claude-opus-4.5 — work via /chat/completions
• ✅ gpt-4.1, gpt-5.2, gpt-5.4-mini — work via /chat/completions
• ❌ gpt-5.4 — available but Copilot CLI sends a tool with empty function.name, rejected by this model
• ❌ gpt-5.3-codex, gpt-5.2-codex — not accessible via /chat/completions (Codex-only endpoint)

The compiler could validate the model against known-compatible models when byok-copilot is enabled.

Reference Implementation

• AWF BYOK runtime logic: src/docker-manager.ts — COPILOT_OFFLINE, COPILOT_PROVIDER_BASE_URL setup
• api-proxy Copilot route: containers/api-proxy/server.js — header injection (Authorization + Copilot-Integration-Id)
• Smoke test workflow: .github/workflows/smoke-copilot-byok.md
• Successful CI run: run 24488563695