docs: credential exclusion requires apiProxy.enabled#3550
Conversation
Add normative §9.4 requiring that tools MUST NOT exclude LLM API keys via excludeEnv without enabling the api-proxy sidecar. Without the proxy, the agent gets no key and no placeholder, causing auth failures. This codifies the root cause of gh-aw#32446 and gh-aw#33766 where Codex workflows failed because OPENAI_API_KEY was excluded without enabling the api-proxy that provides placeholder injection. Also updates the JSON schema description for excludeEnv to warn about this constraint. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Smoke Test Results✅ GitHub API: 2 PR entries confirmed Overall: PASS
|
🔬 Smoke Test Results
Overall: FAIL — Pre-computed step outputs ( PR by @lpcox · Reviewer:
|
|
Smoke Test: Copilot BYOK (Offline) Mode
Running in BYOK offline mode ( Overall: PARTIAL (tests 2 & 3 skipped due to missing pre-step outputs)
|
|
Smoke Test: FAIL. Connectivity: ❌, File Write: ✅, Bash: ✅, MCP: ❌ Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
🏗️ Build Test Suite Results
Overall: 8/8 ecosystems passed — ✅ PASS
|
|
Reviewed merged PRs: docs: credential exclusion requires apiProxy.enabled; fix(squid): chown bind-mounted log dirs to proxy user on startup Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "registry.npmjs.org"See Network Configuration for more information.
|
Smoke Test Results — FAIL ❌
Overall: FAIL —
|
PR #3550 updated docs/awf-config.schema.json but missed src/ copy. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix(dind-probe): address review feedback from #3554 - Distinguish 'inconclusive' (Docker unreachable, timeout, infra error) from 'splitDetected' (confirmed split filesystem). Infrastructure errors (exit code ≥125, ENOENT, timeout) no longer falsely report split topology. - Add fail-fast Docker connectivity check (docker info, 5s timeout) before running probe containers. If Docker is unreachable, return immediately instead of waiting up to 45s across 3 probe attempts. - Reduce per-probe timeout from 15s to 10s (worst-case: 5s ping + 30s probes vs previous 45s). - Remove duplicate info-level logging from probe module. Only the caller (main-action.ts) logs at info level; probe uses debug throughout. - Fix brittle timeout test: explicitly mock all execa calls including the connectivity check, and align assertions with the new 'inconclusive' semantics. - Fix OS-specific setup error test: use chmod to force permission errors instead of relying on /proc path behavior. - Add new test cases: Docker unreachable, docker info timeout, exit 125 infrastructure error, probe throw → all verify inconclusive behavior. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix: sync src schema excludeEnv with docs copy PR #3550 updated docs/awf-config.schema.json but missed src/ copy. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 participant
Add normative §9.4 to the AWF config spec requiring that tools MUST NOT exclude LLM API keys via
excludeEnvwithout enabling the api-proxy sidecar.Without the proxy, the agent gets no key and no placeholder, causing authentication failures at runtime.
This codifies the root cause of github/gh-aw#32446 and github/gh-aw#33766 where Codex workflows failed because
OPENAI_API_KEYwas excluded without enabling the api-proxy that provides placeholder injection.Also updates the JSON schema description for
excludeEnvto warn about this constraint.Ref: github/gh-aw#33833 (comment)