[awf] Docker Manager: session-state events.jsonl inaccessible as workflow artifact

[lpcox]

Problem

When the Copilot CLI runs inside the AWF sandbox container, session-state files (events.jsonl) are written to $HOME/.copilot/session-state/ inside the container, but the compiled workflow's "Copy Copilot session state files" step reads from the host's $HOME/.copilot/session-state/, which is empty. The agent_outputs artifact never contains events.jsonl.

Context

Original report: github/gh-aw#19648

The AWF sandbox already mounts $HOME/.copilot/logs/ (agent-logs) to a host path — it uses the same pattern for Squid logs. The --session-state-dir flag (AWF_SESSION_STATE_DIR) is documented in stored memory and mounts $HOME/.copilot/session-state inside the container. However, the compiled workflow's copy step doesn't know about the volume mount destination and reads the host path directly.

AWF stores session state at src/cli.ts:1545-1552 and mounts it via src/docker-manager.ts:1856-1878.

Root Cause

The compiled workflow's artifact upload step uses $HOME/.copilot/session-state (host path) which is never populated when awf runs the CLI inside the container. The session state volume is only mounted when --session-state-dir is explicitly passed; without it, no host path is configured, so events.jsonl is inaccessible after the container exits.

Proposed Solution

1. Auto-mount session-state directory by default: In src/docker-manager.ts, unconditionally mount \$\{workDir}/session-state/ to $HOME/.copilot/session-state inside the container (similar to how agent-logs/ is mounted at line 172). Create the directory if it doesn't exist.
2. Preserve session-state on cleanup: In the cleanup() function in src/docker-manager.ts (around line 540), add logic to move \$\{workDir}/session-state/ to /tmp/awf-session-state-<timestamp>/ (analogous to existing agent-logs preservation at line 540-550), and log the preserved path.
3. Update src/cli.ts: Log the session-state directory path on startup (similar to how agent-logs and squid-logs paths are logged).
4. Update compiled workflow template: Ensure the "Copy Copilot session state files" step in compiled workflows copies from the preserved host path (/tmp/awf-session-state-*/ or \$\{workDir}/session-state/) rather than from $HOME/.copilot/session-state on the host runner.
5. Add to firewall-audit-logs artifact: Include events.jsonl in the firewall-audit-logs artifact upload so downstream consumers can parse the structured conversation log.

Generated by Firewall Issue Dispatcher · ● 2.1M · ◷

[github-actions]

👋 Hello! I noticed this issue might be related to existing issues:

• [awf] Docker Manager: Copilot CLI events.jsonl not captured in artifact (session-state written inside container) #1932 - [awf] Docker Manager: Copilot CLI events.jsonl not captured in artifact (session-state written inside container) — describes the same root cause (session-state written inside the container, not accessible from the host path in artifact upload steps)
• agent-container: add volume mount for ~/.copilot/session-state so events.jsonl is accessible for artifact upload #1466 - agent-container: add volume mount for ~/.copilot/session-state so events.jsonl is accessible for artifact upload — requests the same volume mount fix for ~/.copilot/session-state

Both issues describe the same core problem: events.jsonl is written inside the AWF container but the workflow artifact step reads from the host path, so the file is never captured.

If either of these addresses your concern (especially if #1932 was resolved and regressed, or #1466's fix was incomplete), please consider linking or closing as a duplicate. Otherwise, feel free to clarify how your issue differs!

This is an automated message from the issue duplication detector.

Generated by Issue Duplication Detector for issue #2014 · ● 295.8K · ◷

[lpcox]

Fixed by #1945 (capture Copilot CLI session state events.jsonl in AWF sandbox artifacts) and #1593 (--session-state-dir). Merged to main.