Codex: inject openai-proxy provider in generated config when API proxy is enabled

[Copilot]

Codex v0.121+ can bypass OPENAI_BASE_URL for Responses WebSocket traffic, causing direct api.openai.com connections with placeholder credentials under AWF --enable-api-proxy and resulting in 401s. This change makes the compiler emit a Codex custom provider override in the generated shell policy config for firewall/api-proxy runs.

• Compiler change (Codex MCP config generation)

  • In pkg/workflow/codex_mcp.go, the generated GH_AW_CODEX_SHELL_POLICY heredoc now includes an openai-proxy custom model provider when firewall mode is enabled.
  • The injected provider sets:
    • model_provider = "openai-proxy"
    • base_url = "http://172.30.0.30:10000"
    • env_key = "OPENAI_API_KEY"
    • supports_websockets = false
  • This forces Codex to use REST via AWF’s api-proxy sidecar instead of WebSocket direct-to-OpenAI paths.

• Behavior guardrail

  • Injection is conditional on firewall-enabled execution paths (where api-proxy is active), avoiding behavior changes for non-firewall runs.

• Targeted test coverage

  • Added/updated Codex MCP rendering tests in pkg/workflow/codex_engine_test.go to assert:
    • provider block is present when firewall is enabled
    • provider block is absent when firewall is disabled

Example of injected config block:

model_provider = "openai-proxy"

[model_providers.openai-proxy]
name = "OpenAI AWF proxy"
base_url = "http://172.30.0.30:10000"
env_key = "OPENAI_API_KEY"
supports_websockets = false

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE mS/RcOTVA9pgHw5AY9NydNx/tlpuc8L9p8RCIaIQKt-k (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com (http block)
  • Triggering command: /usr/bin/gh gh repo view owner/repo env rdian.md GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name "prettier" --che-p GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath -o /tmp/go-build432-p -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build2435721305/b404/importcfg -pack /tmp/go-build2435721305/b404/_testmain.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv download 12346 /usr/bin/gh test-logs/run-12git cfg 64/pkg/tool/linu--show-toplevel gh repo�� view owner/test-repo /usr/bin/git y.md GO111MODULE k git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/gh g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel gh repo�� view owner/test-repo /usr/bin/git g_.a kVjpTbR-V 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv download 12346 /usr/bin/gh test-logs/run-12git GO111MODULE 64/bin/go gh repo�� view owner/test-repo /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv y config /usr/bin/git remote.origin.urgit GO111MODULE x_amd64/vet git remo�� GOMODCACHE x_amd64/vet /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ansitiveImports757395603/001 go om/other/repo.git -json GO111MODULE 64/bin/go gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq /usr/bin/git -json GO111MODULE x_amd64/asm git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ansitiveImports1556496655/001 l /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/agentic-observability-kit.md sh /opt/hostedtoolcache/node/24.14.1/x64/bin/node "prettier" --chegit GOPROXY 64/bin/go /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE cfg GOINSECURE GOMOD GOMODCACHE Bh/hKJC44cVKMHVnpBvTgXO/G1KutSxXupstream (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/xTest User /usr/bin/git 97/001/test-frontr 647134/b034/vet.\n x_amd64/link git rev-�� --show-toplevel x_amd64/link /usr/bin/git 2611-32224/test-git 647134/b121/vet.rev-parse ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel 647134/b444/stats.test 1/x64/bin/npm 4149930088 --jq 647134/b459/tty.--show-toplevel 1/x64/bin/npm rev-�� --show-toplevel 647134/b459/tty.test /usr/bin/git t0 rev-parse (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ons-test1380519671 config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go git conf�� --get l /usr/bin/git -json GO111MODULE layTitle git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /repos/test-owner/test-repo/actions/secrets l /usr/bin/git go1.25.8 -c=4 -nolocalimports git -C /tmp/TestGuardPolicyBlockedUsersExpressionCompilbase (original) config /usr/bin/git remote.origin.urgit node layTitle git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv run l /usr/bin/git --detach -c=4 -nolocalimports git -C runs/20260421-233458-88808/test-1256244252 remote /usr/bin/git -json GO111MODULE layTitle git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url /usr/bin/git ApprovalLabelsCogit tmain.go tartedAt,updated-b git rev-�� --show-toplevel 647134/b395/actionpins.test /usr/bin/git t0 tmain.go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 2912-56863/test-git GO111MODULE tartedAt,updated-b git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git st-721584221/.gigit O_e3/jNiaaPEe3F5rev-parse 6328415/b179=> git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE tartedAt,updated-b git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE /opt/hostedtoolc--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /usr/bin/git -json cfg 64/pkg/tool/linu--show-toplevel git init�� GOMODCACHE 64/pkg/tool/linux_amd64/vet /usr/bin/gh -json cfg x_amd64/link gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/compile /usr/bin/git y-test.md GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git itmain_branch428git itmain_branch428rev-parse 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/gh -json GO111MODULE 64/bin/go gh (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/vet /usr/bin/git -json cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linuTest User /usr/bin/git -json cfg 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv user.email test@example.com /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --git-dir go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git itmain_branch324git itmain_branch324rev-parse 64/bin/go git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 647134/b459/_pkg_.a go 647134/b459=> ntent.md GO111MODULE 64/bin/go git init�� BHBh/Mm0ui0x2Iv4Z-LYbBHBh s/5/artifacts /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/approach-validator.md initial commit /usr/bin/git -goversion go1.25.8 -c=4 git -C /tmp/gh-aw-test-runs/20260421-232912-56863/test-2823444620/.github/workflows s/3/artifacts /usr/bin/git remote.origin.urgit node 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv origin master /usr/bin/git -json GO111MODULE 64/bin/go git -C /tmp/gh-aw-test-runs/20260421-233458-88808/test-3726031908/.github/workflows s/4/artifacts /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv 0ad213f6..HEAD --quiet $name) { hasDiscussionsEnabled } } token-test.txt git-receive-packconfig ules/.bin/git git show�� --verify 0ad213f6..HEAD 1/x64/bin/node -m patch /home/REDACTED/wor/home/REDACTED/work/gh-aw/gh-aw/.github/workflows 1/x64/bin/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv --verify --quiet odules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/git token-test.txt git 86_64/git git show�� 0ad213f6..HEAD 1b21dbc0df7905c10ad213f6 1/x64/bin/node -m patch git 1/x64/bin/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv a7454c45..HEAD --quiet $name) { hasDiscussionsEnabled } } token-test.txt git es/.bin/git git show�� --verify a7454c45..HEAD ules/.bin/node -m patch odules/npm/node_/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --git-dir x_amd64/compile /usr/bin/git -json cfg x_amd64/compile git rev-�� --git-dir x_amd64/compile /usr/bin/infocmp -json GO111MODULE 64/pkg/tool/linu--show-toplevel infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv user.email test@example.com /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git ility-kit.md GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --git-dir go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/infocmp hub/workflows GO111MODULE 64/bin/go infocmp (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv sistency_InlinedImports1015005807/001/inlined-b.md security /usr/bin/git OUTPUT -d 168.63.129.16 git -C runs/20260421-232611-32224/test-3038690923 remote 64/pkg/tool/linux_amd64/compile ACCEPT GO111MODULE 64/bin/go 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -m initial commit /usr/bin/git -goversion go1.25.8 -c=4 git -C /tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_only_defaults_repo3424313015/001 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv origin develop /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv 647134/b465/_pkg_.a security ache/node/24.14.1/x64/bin/node OUTPUT b/gh-aw/pkg/typerev-parse 168.63.129.16 git t-33�� k/gh-aw/gh-aw/.github/workflows/ai-moderator.md rev-parse /usr/bin/infocmp ACCEPT GO111MODULE 64/bin/go 647134/b465/importcfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv _ceXwrAsYVDQR-HUaE0f/_ceXwrAsYVDQR-HUaE0f -dwarf=false /usr/bin/git go1.25.8 -c=4 -nolocalimports git rev-�� --git-dir /tmp/go-build2086328415/b235/embedcfg /usr/bin/git --check (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -m l e/git -json GO111MODULE 64/bin/go e/git -C /tmp/gh-aw-test-runs/20260421-233458-88808/test-1967363055/.github/workflows remote /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1705074214/.github/workflows cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xTest User (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE ck GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env mpiledOutput1799893279/001 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE l/errors 64/src/math/floouser.name 64/pkg/tool/linuTest User (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE Vgol9MA/jtMHmSR1PwQ4sKWnT8ry env -json GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env 2208538627 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name @v1.1.3/cpu/arm/arm.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linumyorg env y_with_repos=public_3682886308/001 X4Ap2OrxA 64/pkg/tool/linux_amd64/link GOINSECURE (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xTest User (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env y.md GO111MODULE k GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name oding@v0.5.4/iso8601/parse.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env y_with_repos=public_3682886308/001 n.go 64/pkg/tool/linux_amd64/link GOINSECURE (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env -json GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env 1143987716/custom/workflows GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name @v1.19.2/internal/errors/error.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env mpiledOutput1799893279/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE l/format abis 64/pkg/tool/linutest@example.com (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env -json GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name @v1.19.2/printer/color.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD abis 64/pkg/tool/linuorigin (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1705074214/.github/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xtest@example.com (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 cfg 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build786647134/b466/_testmain.go env -json GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name @v1.19.2/internal/format/format.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env mpiledOutput1799893279/001 OhJqGnTLC 64/pkg/tool/linux_amd64/vet GOINSECURE (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name cfg 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build786647134/b459/_testmain.go env 1705074214 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1143987716/custom/workflows GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-extld=gcc (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name LsRemoteWithRealGitbranch_with_hyphen1871540054/001' 64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/asm env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE _other.o 64/src/crypto/in--show-toplevel 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build786647134/b419/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE 64/pkg/tool/linuorigin env ithub/workflows GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
  • Triggering command: /tmp/go-build786647134/b404/cli.test /tmp/go-build786647134/b404/cli.test -test.testlogfile=/tmp/go-build786647134/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -json GO111MODULE 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /tmp/go-build3711493167/b404/cli.test /tmp/go-build3711493167/b404/cli.test -test.testlogfile=/tmp/go-build3711493167/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build2086328415/b184/importcfg -pack -c che/go-build/12/-p GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath (http block)
  • Triggering command: /tmp/go-build2435721305/b404/cli.test /tmp/go-build2435721305/b404/cli.test -test.testlogfile=/tmp/go-build2435721305/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE erignore env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel dI/VlqCrFGhKv_vuXFDo5AA/4Ab4WdaLaDttp7jQC4de /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git se 647134/b318/vet.-lh 647134/b185/vet./tmp/gh-aw/aw-feature-branch.patch git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/xremote.origin.url /usr/bin/git ortcfg cjNZiRS1g ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linuorigin /usr/bin/git 2912-56863/test-ls dE5S/nPvk3w7LQzW-lh ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git archie.md GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git 3458-88808/test-ls GO111MODULE /opt/hostedtoolc/tmp/gh-aw/aw-feature-branch.patch git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv se 647134/b019/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv g_.a z-hV-eFae /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ortcfg S-MkVro-o ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env 115112696/001 115112696/002/work x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv ./cmd/gh-aw GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-tests -V=f�� pkg/workflow/com-json prettier 64/bin/go ../../../**/*.jsnode !../../../pkg/wo/tmp/js-hash-test-173324083/test-hash.js 64/bin/go go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet _bra�� -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env Gitmain_branch2523608209/001' Gitmain_branch2523608209/001' x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile 1151�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv che/go-build/66/remote.origin.url GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/xGO111MODULE -V=f�� tions/node_modul-json node 64/bin/go --write ../../../**/*.jsinit 64/bin/go go (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv se 647134/b023/vet.cfg k GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x-buildtags sRem�� -json GO111MODULE cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x12345 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv g_.a 6D-KwQuTc 64/pkg/tool/linux_amd64/link GOINSECURE nal/poly1305 GOMODCACHE 64/pkg/tool/linux_amd64/link env ser.test RR0X2oXnN ortcfg.link GOINSECURE GOMOD GOMODCACHE bjHbg_ZJCCAgzSWOmS/RcOTVA9pgHw5Arev-parse (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 2/001/inlined-a.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ai-moderator.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env thub/workflows V3gqgd2UJ /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env 647134/b399/_pkg_.a GO111MODULE cfg GOINSECURE GOMOD GOMODCACHE N_/MhA652aEkSuR8--json (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath -o /tmp/go-build432-p -trimpath 64/bin/go -p main -lang=go1.25 go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build3711493167/b070/importcfg -pack /tmp/go-build3711493167/b070/_testmain.go -V=f�� /sh node 64/bin/go --write ../../../**/*.js-o 64/bin/go go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
• https://api.github.com/repos/test/repo
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch -json GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch edOutput363687614/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE _wasm.o 64/src/runtime/a--show-toplevel 64/pkg/tool/linux_amd64/vet env -json BytXhgNOP 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu3 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch mpiledOutput2154557462/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• invalid.example.invalid
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git conf�� user.name lure tions/setup/js/node_modules/.bin/git -M main /usr/sbin/git git init�� --bare --initial-branch=main k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/git '/tmp/bare-incregit '/tmp/bare-increadd cal/bin/git git (dns block)
  • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git git conf�� user.name lure k/gh-aw/gh-aw/actions/node_modules/.bin/git -M main -branch git bran�� -M main cal/bin/git user.name Test User n-dir/git git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

---

🤖 Smoke CI scheduled run: https://github.com/github/gh-aw/actions/runs/24752382115

Generated by Smoke CI · ● 354.6K · ◷

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR updates Codex MCP config generation to force Codex traffic through AWF’s api-proxy sidecar during firewall-enabled runs, preventing unexpected direct WebSocket connections to api.openai.com that can lead to 401s.

Changes:

• Injects an openai-proxy model provider block into the generated Codex TOML when firewall is enabled.
• Adds constants for the provider id/name/base URL to reduce duplication in config rendering.
• Adds tests asserting the provider block is present with firewall enabled and absent otherwise.

Show a summary per file

File	Description
pkg/workflow/codex_mcp.go	Conditionally emits an openai-proxy provider + model_provider override into the generated TOML.
pkg/workflow/codex_engine_test.go	Adds regression tests for provider injection behavior based on firewall enablement.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 4

[Copilot]

This writes a TOML fragment (including a top-level model_provider = ...) and then appends additional TOML from ${RUNNER_TEMP}. TOML does not allow duplicate keys, so if the appended config also contains model_provider (or a duplicate [model_providers.openai-proxy] table), Codex’s TOML parse can fail at runtime. A safer approach is to ensure model_provider is only defined once (e.g., inject only the provider table here, and set/override model_provider in the final/last fragment; or switch from raw concatenation to a proper merge strategy where you parse/build a single TOML document before writing).

Suggested change

	yaml.WriteString(" cat \"${RUNNER_TEMP}/gh-aw/mcp-config/config.toml\" >> \"/tmp/gh-aw/mcp-config/config.toml\"\n")
	if isFirewallEnabled(workflowData) {
	yaml.WriteString(" awk '\\n")
	yaml.WriteString(" BEGIN { skip_openai_proxy = 0 }\\n")
	yaml.WriteString(" /^[[:space:]]*model_provider[[:space:]]*=/ { next }\\n")
	yaml.WriteString(" /^\\\\[model_providers\\\\.openai-proxy\\\\][[:space:]]*$/ { skip_openai_proxy = 1; next }\\n")
	yaml.WriteString(" /^\\\\[/ { skip_openai_proxy = 0 }\\n")
	yaml.WriteString(" !skip_openai_proxy { print }\\n")
	yaml.WriteString(" ' \"${RUNNER_TEMP}/gh-aw/mcp-config/config.toml\" >> \"/tmp/gh-aw/mcp-config/config.toml\"\n")
	} else {
	yaml.WriteString(" cat \"${RUNNER_TEMP}/gh-aw/mcp-config/config.toml\" >> \"/tmp/gh-aw/mcp-config/config.toml\"\n")
	}

[Copilot]

The proxy base URL is hard-coded to a specific IP:port. If the sidecar address changes (or differs across environments), this will silently break Codex connectivity. Consider deriving this from an existing central constant/config used by the api-proxy setup (or making the base URL configurable via workflow/engine config with a sensible default) so the compiler and runtime remain in sync.

[Copilot]

These blank-line writes include indent before the newline, which produces whitespace-only lines in the generated TOML. While usually harmless, it adds trailing whitespace noise and can complicate snapshot/assertion diffs. Prefer writing just "\n" for blank lines (without prefixing indent) while keeping indentation for non-empty lines.

Suggested change

	yaml.WriteString(indent + "\n")
	yaml.WriteString(indent + "model_provider = \"" + codexOpenAIProxyProviderID + "\"\n")
	yaml.WriteString(indent + "\n")
	yaml.WriteString("\n")
	yaml.WriteString(indent + "model_provider = \"" + codexOpenAIProxyProviderID + "\"\n")
	yaml.WriteString("\n")

[Copilot]

The tools map and mcpTools slice are shared across subtests. If RenderMCPConfig mutates either (even indirectly), it can create hidden coupling and flaky tests. Instantiate fresh tools/mcpTools inside each t.Run (or clone them) to keep subtests isolated.

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	1 (with 2 sub-cases)
✅ Design tests (behavioral contracts)	1 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	1 (100%)
Duplicate test clusters	0
Test inflation detected	⚠️ Yes (50 test lines / 21 prod lines = 2.38:1, threshold 2:1)
🚨 Coding-guideline violations	None

---

Test Classification Details

Test	File	Classification	Issues Detected
TestCodexEngineRenderMCPConfigOpenAIProxyProvider	pkg/workflow/codex_engine_test.go:310	✅ Design	Minor: uses stdlib t.Errorf/t.Fatalf rather than testify; trivial inflation ratio

---

Test Analysis

✅ TestCodexEngineRenderMCPConfigOpenAIProxyProvider

This test has two sub-cases using t.Run():

• "injects openai-proxy provider when firewall is enabled" — constructs a real WorkflowData with FirewallConfig{Enabled: true}, calls RenderMCPConfig, and asserts that 6 specific TOML config lines appear in the output (model_provider, [model_providers.openai-proxy], name, base_url, env_key, supports_websockets). This directly verifies the observable contract of the feature.
• "does not inject openai-proxy provider when firewall is disabled" — constructs WorkflowData without a firewall config and asserts the proxy provider string is absent. This is the negative/edge case path.

Classification: Design test — verifies the observable output string based on network configuration state. Would catch both regression (proxy not injected when needed) and over-injection (proxy injected when not needed).

No mocks, no prohibited libraries, build tag //go:build !integration present. ✅

📋 Minor Observations (non-blocking)

Assertion style: The test uses stdlib t.Fatalf/t.Errorf throughout rather than testify. Both are accepted in this codebase. The error format strings ("Expected MCP config to contain %q, got:\n%s") are descriptive and provide full context on failure — no issue.

Inflation ratio: 50 test lines added vs. 21 production lines = 2.38:1, marginally above the 2:1 threshold. The test is more verbose than the production code because it enumerates 6 specific expected TOML lines and covers two distinct scenarios. This is justified overhead, not padding.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 1 test function (2 sub-cases) — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). The test enforces two behavioral invariants of the openai-proxy provider injection feature.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

---

References: §24752301212

🧪 Test quality analysis by Test Quality Sentinel · ● 440.4K · ◷

[github-actions]

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). The new TestCodexEngineRenderMCPConfigOpenAIProxyProvider test covers both the positive (firewall enabled → proxy injected) and negative (firewall disabled → proxy absent) behavioral contracts with real component interactions and no mock libraries.

[lpcox]

@copilot address this review feedback #27711 (review)