docs: AW harness design plan (Pi SDK + extensions)

[pelikhan]

AW Harness Design Plan

Design plan for the aw engine harness — a Pi SDK-based replacement for copilot_harness.cjs that adds multi-step DAG orchestration, multi-agent/multi-model support, context engineering, cost tracking, steering, session repair, and observability.

Key Design Decisions

• Built on Pi agent ecosystem — Uses @mariozechner/pi-coding-agent, pi-agent-core, pi-ai as the runtime
• Extensions-first — All gh-aw capabilities (safe-outputs, MCP bridge, cost tracking, steering, repair, observability, checkpoint) are implemented as Pi extensions using ExtensionAPI
• api-proxy for model resolution — Model names/aliases pass through to the existing api-proxy, which handles recursive resolution, provider routing, and semver selection
• TypeScript compiled for Node 24 — Compiled to ES2024, bundled via esbuild to a single .cjs in actions/setup/js/
• New opt-in engine — engine: aw is a new choice; existing engines (copilot, claude, codex) are untouched
• No CLI spawning — Pi SDK talks directly to LLM APIs through the api-proxy

Architecture

aw_harness.cjs (entry point)
  |-- Parser (markdown -> steps + config)
  |-- DAG Planner (topological sort, parallel groups)
  |-- DAG Runner (orchestrates multiple Pi AgentSessions)
  +-- Pi Extensions (loaded into each session):
      |-- api-proxy-provider (registerProvider for api-proxy)
      |-- mcp-bridge (MCP gateway tools -> Pi AgentTool)
      |-- safe-outputs (tools + artifact writing)
      |-- cost-tracker (budget gates via turn_end events)
      |-- steering (time/budget pressure via steer())
      |-- repair (broken session recovery)
      |-- observability (JSONL + OTel spans)
      +-- checkpoint (persist/resume state)

Files

• specs/aw-harness.md - Full design document

This is a design-only PR - no implementation code yet.

[github-actions]

✅ smoke-ci: safeoutputs CLI comment + comment-memory run (25240542151)

Generated by Smoke CI for issue #29667 · ◷

[github-actions]

Comment Memory

CI lights the path
Green checks bloom at dawn
Quiet bots still sing

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Generated by Smoke CI for issue #29667 · ◷

[Copilot]

Pull request overview

Adds a design document for a proposed aw engine harness that would replace the current single-CLI retry wrapper with a Pi SDK-based orchestration layer for multi-step, multi-agent workflows.

Changes:

• Introduces the proposed AW harness architecture, including Pi extension-based capabilities such as MCP bridging, safe outputs, cost tracking, repair, checkpointing, and observability.
• Defines a draft workflow/frontmatter format for engine: aw, step extraction from markdown headings, and DAG-based execution.
• Documents an implementation/build/testing plan for packaging a bundled aw_harness.cjs into actions/setup/js/.

Show a summary per file

File	Description
specs/aw-harness.md	New end-to-end design spec for the proposed AW engine, covering architecture, workflow format, extension model, runtime orchestration, and rollout/build plan.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 9

[pelikhan]

@copilot when this harness is selected, GH-proxy and CLI proxy features are always enabled. You cannot disable them because it does not support MCP natively.

[Copilot]

@copilot when this harness is selected, GH-proxy and CLI proxy features are always enabled. You cannot disable them because it does not support MCP natively.

Updated in 370d10c. The spec now documents in three places that gh-proxy and cli-proxy are always enabled for engine: aw and cannot be disabled (Pi SDK does not support MCP natively):

• "What this IS" bullet added
• Design Principle 5 added
• Frontmatter example now shows cli-proxy: true and mode: gh-proxy with explanatory comments
• MCP Bridge extension section has a Note callout explaining the mandatory dependency
• Backwards Compatibility table has two new rows: cli-proxy: false is ignored, and tools.github.mode: remote is overridden to gh-proxy

[pelikhan]

@copilot rewrite harness spec using the W3c-spec-writer

[pelikhan]

@copilot the harness has no predefined context, all ambient imported files or skills must be declared

[Copilot]

@copilot rewrite harness spec using the W3c-spec-writer

Done in 678615c. The spec has been fully rewritten in W3C specification format with:

• Abstract, Status of This Document, and Table of Contents
• §2 Conformance — RFC 2119 keyword table (MUST, SHOULD, MAY, etc.)
• §3 Terminology and Definitions — 14 formal definition entries
• §4 Architecture — design principles expressed as normative MUST/MUST NOT requirements (duplicate item 5 renumbered, AWF_API_PROXY_TOKEN used consistently)
• §5 Harness Invocation Contract — entry point, env vars table, exit codes, stdio rules
• §6 Workflow Definition — formal sub-schema per harness.* key + §6.2 Overrides and Fixed Settings table (gh-proxy/cli-proxy always-on is a normative MUST NOT)
• §7 DAG Execution Model — normative construction and execution algorithms
• §8 Extensions — each of the 8 extensions as a subsection with a Requirements list + >[!NOTE] Non-normative example code blocks
• §9 Model Resolution (informative), §10 Build and Deployment (informative, preserves all original content)
• §11 Security Considerations, §12 Privacy Considerations (informative)
• §13 References — normative (RFC 2119) and informative (Pi SDK, esbuild, OTel, gh-aw)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• github.com (HTTP Only)
  • Triggering command: /usr/bin/ssh ssh -T git@github.com (packet block)
• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh gh auth status (http block)
• https://api.github.com/repos/fastlane/fastlane/releases
  • Triggering command: /usr/local/bin/fastlane fastlane bin-proxy --help (http block)
• https://api.github.com/repos/github/gh-aw
  • Triggering command: /usr/bin/curl curl -s -o/dev/null -w %{http_code} -H Authorization: token ****** REDACTED (http block)
  • Triggering command: /usr/bin/curl curl -s -H Authorization: token ****** REDACTED (http block)
• https://api.github.com/repos/github/gh-aw/git/refs/heads/pelikhan/aw-harness-plan
  • Triggering command: /usr/bin/gh gh api repos/github/gh-aw/git/refs/heads/pelikhan/aw-harness-plan (http block)
  • Triggering command: /usr/bin/curl curl -s -o/dev/null -w %{http_code} -X PATCH -H Authorization: token ****** -H Accept: application/vnd.github.v3+json REDACTED -d {"sha":"678615c870e4122e67dfbec403ad91c366e32344","force":false} (http block)
• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login (http block)
  • Triggering command: /usr/bin/curl curl -s -H Authorization: token ****** REDACTED (http block)
  • Triggering command: /usr/bin/curl curl -v REDACTED -H Authorization: token ****** (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

@copilot the harness has no predefined context, all ambient imported files or skills must be declared

Added §6.4 Initial Prompt Context in fe1e2a2. The new normative section states:

• The harness MUST NOT inject any predefined or ambient context into agent sessions
• Every item in a session's prompt MUST come from an explicitly declared origin: the step body, upstream transcripts, harness.agents[*].system, or imports:
• The harness MUST NOT auto-load AGENTS.md, .github/agents/ entries, or skills directories
• An [!IMPORTANT] callout reminds workflow authors to declare all needed files/skills via imports:

[pelikhan]

@copilot not needed, MCP are already wrapped as clis. No MCP support needed.

[Copilot]

Done in 945545f. Removed Extension 2 (MCP Gateway Bridge) entirely — the spec now states that MCP tools are available to agent sessions as CLI commands on PATH via cli-proxy, so no Pi-level bridge is needed. Updated the architecture diagram, Design Principle 5, §7.3 execution summary, §10 project structure, and implementation plan accordingly. The extension count dropped from eight to seven.

[pelikhan]

The front matter is preparsed by the gh-aw compiler and the aw harness will instead receive a config.json, prompt.text and agent files

[Copilot]

Done in 945545f. Updated the spec throughout to reflect that the gh-aw compiler pre-processes the workflow markdown and provides the harness with config.json (parsed harness config), prompt.txt (extracted prompt body), and agent files. Key changes:

• §3 "workflow document" definition updated
• §5.1 Entry Point rewritten: node aw_harness.cjs --config <config-path> --prompt <prompt-path> [--agent-file <agent-path>]
• Normative requirement added: the harness MUST NOT read or parse workflow Markdown files directly
• §6.1 intro updated to clarify the compiler emits config.json; the harness consumes it at runtime
• §6.3 Step Extraction Algorithm updated to describe reading from config.json + prompt.txt
• §7.2 normative requirements and code example updated accordingly

[pelikhan]

@copilot this information is in the config file, not needed

[Copilot]

Done in 3844198. Removed --agent-file from the invocation command and its description. The config.json already contains resolved agent file paths, so no separate flag is needed.

[pelikhan]

@copilot awf uses the environment from the various providers and must connect with those directly

[Copilot]

Done in 3844198. Updated throughout to reflect that AWF injects provider-specific credentials (e.g., ANTHROPIC_API_KEY, OPENAI_API_KEY, GITHUB_TOKEN) into the container and the harness reads them directly. Changes: §5.2 env vars table replaced with a note about provider env vars; Design Principle 3 updated to "Direct provider connections"; Extension 1 renamed from "api-proxy Provider" to "Provider Setup"; §9 Model Resolution, §11 Security, §12 Privacy, and the architecture diagram all updated to remove the api-proxy middleman.

[pelikhan]

@copilot this is implicit

[Copilot]

Done in 3844198. Removed harness: aw_harness.cjs from the frontmatter example.

[pelikhan]

@copilot steps are confusing because it is a github actions idiom. Use another terminology, related to processes.

[Copilot]

Done in 3844198. Renamed all harness execution unit references from "step/steps" to "task/tasks" throughout the spec: harness.steps → harness.tasks, <!-- harness-step: --> → <!-- harness-task: -->, "harness step" → "harness task", "step annotation" → "task annotation", section titles "Step Extraction Algorithm" → "Task Extraction Algorithm", "Step Execution Summary" → "Task Execution Summary", exit code table, observability events, checkpoint extension, backwards compatibility table, implementation plan, and project structure.

[Copilot]

@copilot remove subagents from this proposal. It just runs a single prompt instruction.

Done in 355543b. Removed all subagent/multi-task machinery from the spec:

• harness.agents and harness.tasks keys removed from §6.1 (schema, example, subsections)
• harness.checkpoint removed (§6.1.6 dropped)
• transcript-mode removed from harness.context
• §7 DAG Execution Model → replaced with §7 Single-Session Execution Model — one createAgentSession(), one session.prompt(), done
• Extension 7 (Checkpoint) removed; extension count is now 6
• §6.3 Task Extraction Algorithm → §6.3 Prompt Loading — reads entire prompt.txt as a single atomic prompt
• §6.4 updated — removed transcript upstream references; only prompt.txt, harness.system, and imports: feed the session
• Project structure simplified — removed parser.ts, planner.ts, dag-runner.ts, transcript.ts
• Implementation plan reduced from 17 items to 13, removing DAG planner, runner, transcript manager, checkpoint
• Backwards compatibility table simplified — removed multi-task rows, added all 6 existing engines
• §11/§12 updated — removed transcript confidentiality and retention paragraphs

[pelikhan]

@copilot add section on context observability .

• the harness should produce a file that provides a full timeline of the context creation (provenance of each piece of text) so that a downstream tool can do a deep analysis on the context size

• the harness should render output to the console in a format that is natively markdown friendly to GitHub actions step summary

• the harness should provide effective token consumption updates in the output on each turn

[Copilot]

@copilot add section on context observability .

• the harness should produce a file that provides a full timeline of the context creation (provenance of each piece of text) so that a downstream tool ...

Done in 9be73be. Added four normative sub-sections to §8.6 and updated §5.4:

§8.6.1 JSONL Event Stream — unchanged existing JSONL + OTel requirements.

§8.6.2 Context Provenance File — the extension MUST produce /tmp/gh-aw/context-provenance.jsonl on session completion. Each record captures timestamp, source ("prompt", "import", or "system"), path (for imports), tokens, cumulative_tokens, and role — enabling downstream tools (e.g., gh aw audit) to do deep analysis of context growth and identify which imports consumed the most token budget.

§8.6.3 GitHub Actions Step Summary — when GITHUB_STEP_SUMMARY is set, the extension MUST write a GitHub-flavored Markdown summary including a per-turn token table and a context provenance section listing each imports: file with its token contribution. §5.4 also updated to document the GITHUB_STEP_SUMMARY contract.

§8.6.4 Per-Turn Token Consumption Output — the extension MUST emit a human-readable line to stderr after each turn_end reporting turn number, input/output tokens, cumulative totals, and cost, formatted as a Markdown blockquote so it renders correctly in the step summary.

Also added a privacy note about the provenance file (metadata only, no raw prompt text) and expanded implementation plan item 10 to enumerate all four sub-requirements.

[pelikhan]

@copilot

• review pi agent and openclaw/openclaw extension format and provide compatibility requirement if applicable

[Copilot]

@copilot

...

Done in cbc260c. Added §4.3 Pi SDK and OpenClaw Extension Format Compatibility (non-normative):

§4.3.1 API Surface Comparison — side-by-side table mapping Pi ExtensionAPI methods to their OpenClaw OpenClawPluginApi counterparts:

• pi.registerTool() ↔ api.registerTool() (semantically equivalent; schema shapes differ — Pi-native vs. TypeBox Type.Object)
• pi.on() ↔ api.on() (same intent; event names differ, e.g. Pi "turn_end" vs. OpenClaw "after_agent_turn")
• pi.registerProvider() ↔ api.registerProvider() (config shape differs; OpenClaw also requires openclaw.plugin.json manifest)
• api.registerAgentHarness(...) — OpenClaw-only experimental low-level executor seam (no Pi equivalent)
• api.registerSessionExtension(...) — OpenClaw-only; no Pi equivalent

§4.3.2 Manifest Requirements — documents that OpenClaw plugins require openclaw.plugin.json + definePluginEntry(...) while Pi extensions are plain functions; the two formats are not interchangeable.

§4.3.3 Compatibility Requirements — normative SHOULDs for writing Pi extensions in a way that eases future portability: isolate Pi SDK dependencies to the entry boundary, express tool definitions as plain objects, treat event source names as a configuration layer, avoid Pi-internal APIs with no OpenClaw equivalent.

§4.3.4 registerAgentHarness Consideration — notes that OpenClaw's experimental executor seam could host the aw harness loop if a future OpenClaw gateway integration is desired, but the current spec does not target it.

Also updated the ToC, the §8 intro cross-reference, and added [OpenClaw] to the informative references.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• www.npmjs.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[pelikhan]

@copilot

• remove openclaw section
• investigate strategy to allow declaring piagent compatible extensions in frontmatter and registering them at runtime

[Copilot]

@copilot

• remove openclaw section...

Done in 4abef9b:

§4.3 removed — the OpenClaw compatibility section, its ToC entry, §8 cross-reference, and informative reference are all gone.

§6.1.4 harness.extensions added — new normative sub-section documenting how workflow authors declare Pi SDK-compatible extensions in frontmatter:

• Two entry forms: repository-relative path to a compiled .cjs file (e.g., ./extensions/custom-tool.cjs) or an npm package name (e.g., @my-org/pi-extension)
• Each module MUST export (pi: ExtensionAPI) => void | Promise<void>
• Harness dynamically loads user extensions after all six built-in gh-aw extensions; user extensions MUST NOT override built-ins
• Failed loads emit a warning; session only aborts if harness.extensions-required: true is set

§7 updated — execution code example now shows loadUserExtensions() spreading user extensions after built-ins; normative requirement #3 references §6.1.4. §7.2 summary updated.

§11 Security Considerations updated — added user extension isolation paragraph noting extensions run in-process, with guidance on auditing third-party npm packages.

§10.8 Implementation Plan updated — new item 5a documents the user extension loader implementation.

[pelikhan]

@copilot use max-effective-tokens instead as cost is not always know

[pelikhan]

@copilot already covered in steering

[pelikhan]

@copilot remove this field

[pelikhan]

@copilot look for the base url env var as well

[pelikhan]

@copilot safeoutouts are cli tools, no special support needed

[pelikhan]

@copilot all events should be store d

[Copilot]

@copilot

• remove openclaw section...

Done in 1af3ca4:

OpenClaw section removed — §4.3 and its ToC entry, §8 cross-reference, and informative reference are gone.

Pi SDK-compatible extension declaration strategy added as §6.1.4 harness.extensions:

• Two entry forms: repo-relative path to a compiled .cjs file or an npm package name
• Each module MUST export (pi: ExtensionAPI) => void | Promise<void> (Pi SDK-native signature)
• Harness dynamically loads user extensions after the five built-in gh-aw extensions; user extensions MUST NOT override built-ins
• Failed loads emit a warning; session only aborts if harness.extensions-required: true is set
• §7 code example updated to show loadUserExtensions() call

Also fixed in the same pass per other review comments: max-cost-usd → max-effective-tokens, removed warn-at-percent (covered by steering), removed harness.system, removed Safe Outputs Pi extension (safe-outputs are CLI tools via cli-proxy), added base URL env var support to Provider Setup, updated Observability to subscribe to all events.