feat(api-proxy): add allow/deny model policy to apiProxy config

[Copilot]

Adds apiProxy.allowedModels and apiProxy.disallowedModels to the AWF config — provider-scoped glob lists that gate which models the api-proxy will resolve and serve. Patterns follow the gh-aw model-alias spec (provider/modelglob, */glob, or bare glob). Denylist wins; non-empty allowlist requires a match; both empty = allow all.

{
  "apiProxy": {
    "allowedModels": ["copilot/gpt-*", "copilot/claude-sonnet-*"],
    "disallowedModels": ["*/claude-opus-*", "copilot/o1-*"]
  }
}

Enforcement

• Alias resolution — resolveModel, selectMiddlePowerFallback, and filterResolvableAliases filter candidates through the policy, so blocked models can't sneak in via aliases or middle-power fallback, and /reflect hides aliases that resolve only to blocked models.

• Inference requests — rewriteModelInBody re-checks the resolved model and returns a blocked sentinel; composeBodyTransforms short-circuits the chain and proxy-request.js responds 403 model_blocked_by_policy:

  {
    "error": {
      "type": "model_blocked_by_policy",
      "message": "Model 'claude-opus-4' is blocked by AWF policy",
      "provider": "copilot",
      "model": "claude-opus-4",
      "reason": "disallowed"
    }
  }

Plumbing

• Schema (docs/awf-config.schema.json, regenerated src/awf-config-schema.json), AwfFileConfig mapping, ApiProxyOptions, LogAndLimitsResult validation, and WrapperConfig threading.
• api-proxy-service-config.ts forwards AWF_ALLOWED_MODELS / AWF_DISALLOWED_MODELS (JSON-encoded string[]) to the sidecar; model-config.js parses them into a frozen MODEL_POLICY and activates the body transform whenever aliases or policy are set.

Docs

• New §12.7 "Model Allow/Deny Policy" in docs/awf-config-spec.md plus CLI-mapping entries.
• Both fields are config-file-only; no CLI flags added.

Tests

• New coverage in model-resolver.test.js for parseModelGlobList, matchProviderModelPattern, checkModelPolicy, policy-aware resolveModel, and blocked-request paths through rewriteModelInBody.
• Validator coverage in validate-options.test.ts for the validateModelGlobList branch of src/commands/validators/log-and-limits.ts (invalid type, non-string entries, empty/whitespace trimming, happy path).

Smoke workflow

• New .github/workflows/smoke-model-policy.md (Copilot engine, AWF sandbox) exercises the policy end-to-end: the agent curls $COPILOT_API_URL/chat/completions with a model matching the injected disallow pattern and asserts HTTP 403 + "type":"model_blocked_by_policy". A post-step also greps the api-proxy JSONL logs for blocked_model entries as a secondary check.
• scripts/ci/postprocess-smoke-workflows.ts now injects apiProxy.allowedModels: ["*"] and apiProxy.disallowedModels: ["*/awf-smoke-blocked-test-model*"] into the inline awf-config.json JSON emitted by the gh-aw compiler — scoped to smoke-model-policy.lock.yml only and idempotent via a negative-lookahead regex. The disallow pattern is intentionally namespaced so it never collides with a real model and the agent's own model is unaffected.
• Added 5 regex unit tests in scripts/ci/postprocess-smoke-workflows.test.ts covering match, replacement, both idempotency branches, and a no-match guard.

[github-actions]

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit 003c6f2

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	96.61%	96.51%	📉 -0.10%
Statements	96.51%	96.40%	📉 -0.11%
Functions	98.70%	98.16%	📉 -0.54%
Branches	91.03%	90.69%	📉 -0.34%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/commands/validators/log-and-limits.ts	90.3% → 82.7% (-7.66%)	90.3% → 81.8% (-8.51%)
src/config-writer.ts	89.3% → 90.9% (+1.65%)	89.3% → 90.9% (+1.65%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[zarenner]

@copilot fix failing checks, also add test agentic workflow(s)

[Copilot]

@copilot fix failing checks, also add test agentic workflow(s)

Looked at the failing checks:

• Test Coverage: Regression was on src/commands/validators/log-and-limits.ts (the new validateModelGlobList branch was uncovered). Added 6 unit tests in validate-options.test.ts covering invalid type, non-string entries, empty/whitespace trimming, and the happy path. Local run is now 92.0% (lines) for that file (baseline was 90.3%).
• PR Title Check: The PR title Add allow/deny model policy to apiProxy config doesn't carry a Conventional Commits prefix (e.g. feat: / feat(api-proxy):). I can't edit PR titles from here — could you rename it? E.g. feat(api-proxy): add allow/deny model policy to apiProxy config.
• Smoke Copilot BYOK AOAI and Security Guard: Both failures are inside the agentic step (Agent did not call add_comment on a pull_request trigger / Claude CLI exited non-zero) and aren't caused by anything in this PR. Re-running once the title is fixed should clear them.

For the test agentic workflow(s) ask — could you clarify what you'd like to see? apiProxy.allowedModels / disallowedModels are config-file-only and the awf-config.json consumed under sandbox: agent: id: awf is generated by gh-aw from its built-in defaults (no .md frontmatter path to inject policy today). Two options I can pursue:

1. A new smoke .md workflow that exercises the policy by mutating the gh-aw-generated awf-config.json via scripts/ci/postprocess-smoke-workflows.ts (injects allowedModels/disallowedModels post-compile, asserts the sidecar returns model_blocked_by_policy).
2. A bash-only integration job (like test-examples.yml) that runs awf --config <fixture> against an apiProxy.allowedModels / disallowedModels fixture and asserts the sidecar behavior end-to-end without an agent.

Which would you prefer (or both)?

[lpcox]

@copilot resolve the merge conflicts in this pull request, merge main, recompile workflows, and make sure that all docs specs and schema are updated. nonsecurity sensitive params should be passed by stdinconfig and all security sensitive params should be passed by environment variable

[Copilot]

@copilot resolve the merge conflicts in this pull request, merge main, recompile workflows, and make sure that all docs specs and schema are updated. nonsecurity sensitive params should be passed by s...

Done in 74a419a (merge) + the follow-up commit.

• Conflicts resolved: model-resolver.js, model-body-rewriter.js, model-config.js, proxy-request.js. Main split model-resolver and refactored proxyRequest into collectRequestBody/transformRequestBody. I kept the policy helpers (parseModelGlobList, normalizeModelPolicy, checkModelPolicy, matchProviderModelPattern) in model-resolver, moved the policy-aware rewriteModelInBody into model-body-rewriter, and threaded the { blocked: true, ... } sentinel through transformRequestBody → proxyRequest so a blocked model still returns 403 model_blocked_by_policy.
• Workflows recompiled with current gh-aw + postprocess-smoke-workflows.ts. Only smoke-model-policy.lock.yml regenerated on this branch (the rest were already up-to-date via the merge).
• Postprocess fix: the modern compiler emits the inline awf-config.json as a YAML double-quoted string, so the JSON " is escaped as \". The injection regex now matches both raw "apiProxy":{ and escaped \"apiProxy\":\{ forms (idempotent + replacement preserves whichever quoting was found). Added two new regex unit tests for the escaped form.
• Docs / spec / schema verified post-merge: docs/awf-config-spec.md §12.7 + CLI-mapping entries and docs/awf-config.schema.json / src/awf-config-schema.json still describe apiProxy.allowedModels / apiProxy.disallowedModels.
• Sensitive vs. non-sensitive split: the policy lists are non-sensitive and configured exclusively via the AWF JSON config file (which awf can read from stdin via --config -) — no CLI flag, no env-var entrypoint on the host. They're forwarded into the api-proxy container via AWF_ALLOWED_MODELS / AWF_DISALLOWED_MODELS (the same env-passthrough used for every other non-sensitive sidecar config like modelAliases, modelFallback, maxRuns, etc.); sensitive material (API keys, OIDC creds) continues to flow only via env vars to the sidecar and is never placed in the agent environment. Happy to refactor the in-container channel to a separate mechanism if you'd like a different split — just let me know.
• Tests: npm run test:unit → 2491/2491 ✓, containers/api-proxy && npm test → 1013/1013 ✓.

[github-actions]

⚠️ Coverage Regression Detected

This PR decreases test coverage. Please add tests to maintain coverage levels.

Overall Coverage

Metric	Base	PR	Delta
Lines	96.42%	96.47%	📈 +0.05%
Statements	96.34%	96.39%	📈 +0.05%
Functions	98.77%	98.78%	📈 +0.01%
Branches	90.74%	90.69%	📉 -0.05%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	89.3% → 90.9% (+1.65%)	89.3% → 90.9% (+1.65%)
src/commands/validators/log-and-limits.ts	90.3% → 92.0% (+1.68%)	90.3% → 92.2% (+1.88%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

Smoke Test: API Proxy Model Allow/Deny Policy ✅ PASS

Check	Result
HTTP status	403
model_blocked_by_policy in body	✅ yes
Blocked model	awf-smoke-blocked-test-model-001

🛡️ Model policy enforced by Smoke Model Policy

[github-actions]

🔬 Smoke Test: Copilot PAT Auth — Results

Test	Result
GitHub MCP connectivity	✅ PR listed successfully
GitHub.com HTTP connectivity	✅ HTTP 200
File write/read	❌ Pre-step outputs not substituted (smoke-data step unavailable)

Overall: FAIL — pre-computed smoke-data outputs were not substituted; file test could not be verified.

Auth mode: PAT (COPILOT_GITHUB_TOKEN)
PR: "feat(api-proxy): add allow/deny model policy to apiProxy config" by @Copilot — assignees: @zarenner, @Copilot

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

🔥 Smoke Test: PASS

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP (200)	✅
File write/read	✅

PR: feat(api-proxy): add allow/deny model policy to apiProxy config
Author: @Copilot · Assignees: @zarenner, @Copilot

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Copilot BYOK (Direct) Mode ✅ PASS

Recent PRs verified:

• fix: propagate apiProxy.diagnostics config fields to all layers #4743: fix: propagate apiProxy.diagnostics config fields to all layers
• [Test Coverage] host-iptables branch coverage #4738: [Test Coverage] host-iptables branch coverage

Test Results:

• ✅ GitHub MCP connectivity verified
• ✅ github.com HTTP 200 (connectivity OK)
• ✅ BYOK inference path active (agent → api-proxy → api.githubcopilot.com)
• ✅ Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY via api-proxy)

PR: #4406 · Allow/deny model policy by @Copilot
Assignees: @zarenner, @Copilot

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test: Copilot BYOK (Direct) Mode — Azure OpenAI (Foundry, Entra / GitHub OIDC)

• MCP connectivity (github-list_pull_requests): ✅
• github.com HTTP connectivity: ✅
• File write/read test: ✅
• BYOK inference test: ✅
  Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra
  Overall status: PASS
  cc @Copilot

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• api.openai.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "api.openai.com"

See Network Configuration for more information.

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

@Copilot @zarenner

• smoke-copilot-byok-aoai-apikey: ✅ MCP connectivity
• GitHub.com HTTP: ✅ 200
• Agent file I/O: ✅
• Direct BYOK to Azure OpenAI: ✅

Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)

Overall: PASS

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)

[github-actions]

Smoke Test Results

• fix: update workflow test SHA assertions after recompile
• feat: persist redacted resolved config as audit artifact
• Merged PRs: ✅
• Safe Inputs GH CLI: ✅
• Playwright: ✅
• File Write/Read: ✅
• Discussion Comment: ✅
• Build: ✅
• Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Smoke Test Results ❌

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.16.0	v22.22.3	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: FAILED — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot

[github-actions]

📡 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Result	Detail
S1: Module Loading	✅	otel.js loaded, isEnabled: true; exports startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled
S2: Test Suite	✅	39/39 tests passed (otel.test.js — spans, token attrs, parent context, serialization, exporters)
S3: Env Var Forwarding	⚠️	Validation script greps api-proxy-service.ts but OTEL vars (OTEL_EXPORTER_OTLP_ENDPOINT, GITHUB_AW_OTEL_TRACE_ID, etc.) are forwarded in api-proxy-service-config.ts — false negative in step script, actual forwarding is correct
S4: Token Tracker Integration	✅	onUsage callback present in token-tracker-http.js (OTEL hook point confirmed)
S5: OTEL Diagnostics	i️	No otel.jsonl file (api-proxy not active during static validation — expected)

All tracing scenarios pass. The S3 validation script should be updated to grep api-proxy-service-config.ts instead of api-proxy-service.ts.

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

Smoke Test Results: GitHub Actions Services Connectivity

Check	Result
Redis PING	❌ Timed out — no route to 172.17.0.1:6379
PostgreSQL pg_isready	❌ No response on 172.17.0.1:5432
PostgreSQL SELECT 1	❌ Timed out

Overall: FAIL

host.docker.internal resolves to 172.17.0.1, but the AWF agent container (at 172.30.0.20 on awf-net 172.30.0.0/24) has no route to the Docker bridge network. Database ports (6379, 5432) are also blocked by AWF iptables rules by design.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #4406 · 207 AIC · ⊞ 33.8K · ◷