fix: web-fetch MCP server generates container format instead of command/args

[Copilot]

tools: web-fetch was compiling to a command/args Docker exec shape that fails MCP Gateway schema validation (missing properties: 'container', additionalProperties 'command', 'args' not allowed). Affected engines: gemini, codex.

Changes

• pkg/workflow/fetch.go — renderMCPFetchServerConfig now emits the gateway-compliant container key instead of command/args:

  // Before (invalid)
  "web-fetch": { "command": "docker", "args": ["run", "-i", "--rm", "mcp/fetch"] }
  
  // After (valid)
  "web-fetch": { "container": "mcp/fetch" }

  TOML output (Codex) similarly changes from command = "docker" + args to container = "mcp/fetch".

• pkg/workflow/fetch_test.go / fetch_integration_test.go — Updated assertions to match the new container shape.

• smoke-codex.md — Added web-fetch: to the tools section and a new "Web Fetch Testing" step to exercise the MCP server.

• smoke-gemini.md — Added web-fetch: to the tools section and a new "Web Fetch Testing" step to exercise the MCP server.

• smoke-copilot.md — Already had web-fetch: in the tools section; added a "Web Fetch Testing" step to exercise it.

All three smoke test lock files now emit "container": "mcp/fetch" in the generated MCP server config.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>tools.web-fetch compiles to invalid MCP Gateway config (command/args instead of container)</issue_title>
<issue_description>tools: web-fetch currently compiles to an MCP Gateway config that fails schema validation.

Repro

Minimal workflow:

---
name: "Web Fetch Repro"
on:
  workflow_dispatch:
engine:
  id: gemini
  model: gemini-3-pro-preview
permissions:
  contents: read
tools:
  web-fetch:
strict: false
---

Compile:

gh aw compile web-fetch-repro

Actual generated lock output

Generated .lock.yml contains:

"web-fetch": {
  "command": "docker",
  "args": ["run", "-i", "--rm", "mcp/fetch"]
}

Expected

web-fetch should be rendered in a gateway-schema-compliant server shape (stdio server with container, e.g.):

"web-fetch": {
  "container": "mcp/fetch"
}

Failure symptom

Gateway startup fails with schema errors like:

• missing properties: 'container'
• additionalProperties 'command', 'args' not allowed
• location: /mcpServers/web-fetch

Engine impact

• Affected: gemini, likely codex (both rely on MCP web-fetch server generation when tools: web-fetch is requested)
• Not affected by this specific path: claude, copilot (both have built-in web-fetch support and generally skip MCP web-fetch server generation)</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes tools.web-fetch compiles to invalid MCP Gateway config (command/args instead of container) #17820

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

---

---

✨ PR Review Safe Output Test - Run 22292196576

💥 [THE END] — Illustrated by Smoke Claude

[pelikhan]

@copilot add add web-fetch to smoke-plod and smoke-codex. And to smoke copilot.

[Copilot]

@copilot add add web-fetch to smoke-plod and smoke-codex. And to smoke copilot.

Done in d9b5066:

• smoke-codex: added web-fetch: to tools + "Web Fetch Testing" step (step 4)
• smoke-gemini (smoke-plod): added web-fetch: to tools + "Web Fetch Testing" step (step 2)
• smoke-copilot: already had web-fetch: in tools — added "Web Fetch Testing" step (step 5)

All three lock files now contain "container": "mcp/fetch" (the correct MCP Gateway format fixed in this PR).

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🤖 Smoke test 22292196548 results for PR #17822:

Test	Status
GitHub MCP	✅
Safe Inputs GH CLI	✅
Serena MCP	❌
Playwright	❌
Web Fetch	✅
File Writing	✅
Bash Tool	✅
Discussion Interaction	✅
Build gh-aw	✅
Discussion Creation	✅
Workflow Dispatch	✅
PR Review	✅

Overall: ⚠️ PARTIAL PASS (Serena/Playwright not available in Copilot context)

PR author: @app/copilot-swe-agent | Run: §22292196548

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

This PR adds web-fetch MCP server support to the smoke-codex workflow, enabling the web_fetch tool test. Changes look correct — the container image is properly registered in both the download list and MCP server config. Minor suggestion: consider pinning the mcp/fetch image to a specific version for reproducibility.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

The mcp/fetch container image is included in the download list and wired up correctly in the MCP server config. One minor note: the image mcp/fetch doesn't specify a version tag — consider pinning to a specific version (e.g., mcp/fetch:latest or a digest) for reproducibility.

[github-actions]

Smoke test results:
PRs: #17824 [jsweep] Clean close_discussion.cjs; #17819 Fix smoke-copilot golden file to include --browser-arg --no-sandbox in Playwright entrypointArgs
GitHub MCP (2 merged PRs): ✅
Serena MCP (activate+find_symbol>=3): ✅
Playwright MCP (page title): ❌ (tool unavailable)
Web fetch https://github.com contains GitHub: ✅
File write+cat: ✅ | Build make build: ✅ | Overall: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

✅ Commit pushed: 32f1740

[github-actions]

Smoke Test Results - Run §22292196576

Test	Status
1. GitHub MCP	✅
2. Safe Inputs GH CLI	✅
3. Serena MCP	✅
4. Make Build	✅
5. Playwright	⚠️ (fallback)
6. Tavily Search	✅
7. File Writing	✅
8. Bash Tool	✅
9. Discussion Comment	✅
10. Agentic Workflows MCP	✅
11. Update PR	✅
12. Review Comments	✅
13. Submit Review	✅
14. Resolve Thread	✅
15. Add Reviewer	✅
16. Push to Branch	✅
17. Close PR	⚠️ (skipped)

Overall: PARTIAL (2 skipped/fallback)

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude

[Copilot]

Pull request overview

Fixes invalid MCP Gateway configuration generation for tools: web-fetch by emitting a gateway-schema-compliant container server shape (instead of command/args), and updates tests and smoke workflows/locks accordingly.

Changes:

• Update renderMCPFetchServerConfig to render "container": "mcp/fetch" for JSON and container = "mcp/fetch" for TOML.
• Adjust unit/integration tests to assert the new container shape.
• Extend Gemini/Codex/Copilot smoke workflows and regenerated lock files to exercise web-fetch and include the mcp/fetch image/config.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/workflow/fetch.go	Emit gateway-compliant container config for the web-fetch MCP server.
pkg/workflow/fetch_test.go	Update assertions for the new JSON/TOML rendering shape.
pkg/workflow/fetch_integration_test.go	Update integration assertions to check container = "mcp/fetch" / "container": "mcp/fetch".
.github/workflows/smoke-gemini.md	Add web-fetch tool + a dedicated smoke step to validate it.
.github/workflows/smoke-gemini.lock.yml	Regenerate lock to include mcp/fetch image download and web-fetch MCP server config.
.github/workflows/smoke-codex.md	Add web-fetch tool + a dedicated smoke step to validate it.
.github/workflows/smoke-codex.lock.yml	Regenerate lock to include mcp/fetch image download and web-fetch MCP server config (TOML + JSON).
.github/workflows/smoke-copilot.md	Add a dedicated web-fetch smoke step (tool already present).
smoke-test-claude-22292196576.md	Add smoke-test run marker file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The comment above webFetchConfig says renderMCPFetchServerConfig() uses a “standardized Docker command format”, but the renderer now emits a gateway-schema container key (no docker command/args). Please update the comment to reflect the container-based MCP Gateway shape to avoid misleading future changes.

See below for a potential fix:

	// The actual rendering is done by renderMCPFetchServerConfig(), which emits
	// the MCP Gateway container-based schema (using the \"container\" field) for all engines.