[awf] API Proxy / Agent: Copilot CLI 1.0.21 model validation fails with classic PAT when COPILOT_MODEL is set

[lpcox]

Problem

Copilot CLI 1.0.21 introduced a startup model validation step: when COPILOT_MODEL is set, the CLI calls GET /models before executing. This endpoint rejects classic PATs (ghp_*), causing the workflow to fail with exit code 1 immediately on startup.

Workflows that do not set COPILOT_MODEL are unaffected (default model path skips validation).

Context

• Original issue: bug: Copilot CLI 1.0.21 added a startup model validation step: when COPILOT_MODEL is set gh-aw#25593
• Affected versions: gh-aw v0.67.3, AWF v0.25.16, Copilot CLI 1.0.21
• Token type affected: classic PAT (ghp_*) used as COPILOT_GITHUB_TOKEN

Root Cause

In src/docker-manager.ts, COPILOT_MODEL is not in EXCLUDED_ENV_VARS and passes freely through --env-all. When the api-proxy is enabled, COPILOT_GITHUB_TOKEN is replaced with a placeholder for credential isolation (line 651), and the real token is forwarded via the api-proxy sidecar. However, the /models endpoint validation by Copilot CLI 1.0.21 is hit before any proxy interception — it uses whichever COPILOT_GITHUB_TOKEN value is present in the agent environment at startup.

Additionally, the containers/api-proxy/server.js does not proxy the /models endpoint, so even with the api-proxy active, the model validation call may escape to the raw GitHub API using the placeholder token.

Proposed Solution

1. Short-term: In src/docker-manager.ts, when --enable-api-proxy is active, add /models to the api-proxy routing table in containers/api-proxy/server.js (Copilot listener, port 10002) so model validation calls are handled by the sidecar with a valid token.

2. Medium-term: Add a warning in AWF CLI (src/cli.ts) when COPILOT_MODEL is set and the token is a classic PAT — advise upgrading to a fine-grained token or OAuth token.

3. Documentation: Update docs/environment.md to note that COPILOT_MODEL requires a non-classic-PAT token when using Copilot CLI ≥ 1.0.21.

Generated by Firewall Issue Dispatcher · ● 1.6M · ◷

[github-actions]

👋 Hello! I noticed this issue might be related to an existing issue:

• [awf] cli-proxy: classic PAT rejected by /models validation when COPILOT_MODEL is set #1896 — [awf] cli-proxy: classic PAT rejected by /models validation when COPILOT_MODEL is set (closed as completed)

Both issues describe the same core problem: Copilot CLI 1.0.21 introduced a startup GET /models validation step that rejects classic PATs (ghp_*) when COPILOT_MODEL is set, causing agent startup failures with exit code 1.

The key difference is that #1896 focused on the cli-proxy path, while this issue (#1929) focuses on the api-proxy path and proposes routing /models through the api-proxy sidecar as a short-term fix.

If #1896 was resolved in a way that also addresses the api-proxy scenario, this issue may be a follow-up or already covered. Otherwise, the additional detail here about EXCLUDED_ENV_VARS and containers/api-proxy/server.js not proxying /models may represent a distinct gap worth tracking.

This is an automated message from the issue duplication detector.

Generated by Issue Duplication Detector for issue #1929 · ● 242K · ◷