[aw-failures] Recompile lock files to fix Codex 401 Unauthorized failures (blocks AI Moderator + Daily Obs Report)

[github-actions]

Problem

Multiple codex-engine workflows are failing with 401 Unauthorized at api.openai.com/v1/responses because their lock files are missing the openai-proxy provider config added in PR #27711 (commit 28d8df1). The lock files route codex directly to api.openai.com instead of through the internal AWF proxy at `(172.30.0.30/redacted) causing authentication failures.

Affected workflows (confirmed failing in last 6h):

• AI Moderator — run §24752310887
• Daily Observability Report — run §24752303616

Also affected (tracked separately):

• Smoke Codex — [aw] Smoke Codex failed #27689

Root Cause

After 28d8df1 merged (which injects openai-proxy into generated codex config), the lock files were not recompiled. This leaves the running workflows using old .lock.yml files without the proxy section:

# Missing from current lock files:
model_provider = "openai-proxy"

[model_providers.openai-proxy]
name = "OpenAI AWF proxy"
base_url = "(172.30.0.30/redacted)
env_key = "OPENAI_API_KEY"
supports_websockets = false

Without this, codex calls api.openai.com/v1/responses directly. The OPENAI_API_KEY is only valid via the proxy, so all codex runs return 401.

Proposed Remediation

Recompile all lock files per the instructions in #27724:

gh aw compile --validate --verbose
# Commit regenerated .lock.yml files

Success Criteria

• Lock files recompiled and committed (see [aw] agentic workflows out of sync #27724 for tracked changes)
• Next AI Moderator run succeeds without 401
• Next Daily Observability Report run succeeds without 401
• No remaining Reconnecting... 1/5 ... 5/5 error pattern in codex workflow logs

Parent Issue

Part of failure investigation report: #27729

Caution

Security scanning requires review for [aw] Failure Investigator (6h)

Details

Potential security threats were detected in the agent output. The workflow output should be reviewed before merging.

Review the workflow run logs for details.

Generated by [aw] Failure Investigator (6h) · ● 416.7K · ◷

• expires on Apr 29, 2026, 1:21 AM UTC

[github-actions]

🍪 *Issue Monster selected this for Copilotecho BEGIN___COMMAND_OUTPUT_MARKER ; PS1= ; PS2= ; unset HISTFILE ; EC=0 ; echo ___BEGIN___COMMAND_DONE_MARKER___0 ; }

I've identified this issue as a good candidate for automated resolution and requested assignment to the Copilot coding agent.

If assignment succeeds, the Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

Caution

Security scanning requires review for Issue Monster

Details

Potential security threats were detected in the agent output. The workflow output should be reviewed before merging.

Review the workflow run logs for details.

🍪 Om nom nom by Issue Monster · ● 13.1K · ◷