docs(sandbox): remove Custom AWF Configuration and Custom MCP Gateway Configuration sections by Copilot · Pull Request #22310 · github/gh-aw

Copilot · 2026-03-22T19:26:12Z

Custom AWF Configuration and Custom MCP Gateway Configuration are implementation/debugging details that should not be publicly exposed. Removes them from the sandbox reference docs and enforces this boundary in strict mode.

Changes

Removed #### Custom AWF Configuration — command, args, env fields for replacing the AWF binary with a custom setup
Removed ##### Custom Mounts — sandbox.agent.mounts documentation
Removed ### Configuration Options (MCP Gateway) — entire table + execution mode examples (command, container, version, entrypointArgs, etc.)
Removed dangling reference to sandbox.agent.mounts in the Filesystem Access section
Schema x-internal marker — added "x-internal": true to the internal agent sandbox fields (command, args, env) and MCP gateway fields (container, version, entrypoint, args, entrypointArgs) in pkg/parser/schemas/main_workflow_schema.json
Doc generator — updated scripts/generate-schema-docs.js to skip x-internal: true fields when generating the frontmatter reference doc, analogous to deprecated: true handling
Strict mode validation — added validateStrictSandboxCustomization in pkg/workflow/strict_mode_sandbox_validation.go; configuring any internal sandbox field is now a compilation error in strict mode (the default). Internal workflows and test fixtures that legitimately use these fields opt out with strict: false.

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

pelikhan · 2026-03-22T19:28:47Z

The script that generates the full frontmatter markdown doc file should ignore fields marked as deprecated or internal.

pelikhan · 2026-03-22T19:29:45Z

@copilot

pelikhan · 2026-03-22T19:31:21Z

@copilot configuring these fields should be treated as an error in strict mode. The sandbox field cannot be customized when strict mode is enabled.

…ation sections These are now implementation/debugging details and should not be publicly documented. Removes: - Custom AWF Configuration section (command, args, env overrides) - Custom Mounts subsection (sandbox.agent.mounts) - MCP Gateway Configuration Options table (command, container, etc.) - Dangling reference to sandbox.agent.mounts in Filesystem Access Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/4b4f1db3-8b63-420c-b13a-644990344883

…idate in strict mode - Add "x-internal": true to agent sandbox (command, args, env) and MCP gateway (container, version, entrypoint, args, entrypointArgs) fields in the JSON schema - Update generate-schema-docs.js to skip x-internal fields (analogous to deprecated field handling) - Add validateStrictSandboxCustomization() that errors when internal sandbox fields are used in strict mode - Call the new validation from the compiler orchestrator - Set strict: false on smoke test workflows that legitimately use internal sandbox fields - Add strict: false to existing test fixtures that use internal fields - Add tests for the new strict mode sandbox validation Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/693539a7-68f3-40fe-a2fa-df98eb6d9e13

Copilot · 2026-03-22T20:05:49Z

The script that generates the full frontmatter markdown doc file should ignore fields marked as deprecated or internal.

Done in commit d18ef23. Added "x-internal": true to the internal agent sandbox fields (command, args, env) and MCP gateway fields (container, version, entrypoint, args, entrypointArgs) in the JSON schema. Updated scripts/generate-schema-docs.js to skip these fields when generating the frontmatter reference doc, analogous to the existing deprecated: true handling.

@copilot configuring these fields should be treated as an error in strict mode. The sandbox field cannot be customized when strict mode is enabled.

Done in commit d18ef23. Added validateStrictSandboxCustomization (in pkg/workflow/strict_mode_sandbox_validation.go) that returns an error in strict mode when any internal sandbox field is configured (sandbox.agent.command/args/env or sandbox.mcp.container/version/entrypoint/args/entrypointArgs). The validation is called from the compiler orchestrator alongside validateStrictFirewall. Internal smoke test workflows and E2E tests that legitimately use these fields now opt out with strict: false.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git .js' --ignore-pagit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GOMOD GOMODCACHE go EnableCommentTool=true;EnablePlanTool=true] -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/orgs/test-owner/actions/secrets
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name cd actions/setupGOINSECURE go 64/bin/go tierignore GO111MODULE x_amd64/cgo go env -json GO111MODULE de GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name ner /usr/bin/gh $name) { hasDiscussionsEnabled } } ithub/workflows -f er: String!, $na/home/REDACTED/work/gh-aw/gh-aw/.github/workflows grep nmen�� r git /usr/bin/grep /home/REDACTED/worgit l repository(owne/home/REDACTED/work/gh-aw/gh-aw/.github/workflows grep (http block)
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel git ache/node/24.14.0/x64/bin/npm --show-toplevel git low.test ache/node/24.14.0/x64/bin/npm rev-�� nly low.test /usr/bin/git --show-toplevel git ntE2E|TestMCPGatewayMountsE2E|Te--show-toplevel git (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --git-dir go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --git-dir go /opt/hostedtoolcache/node/24.14.0/x64/bin/node json' --ignore-pgit GO111MODULE 64/bin/go /opt/hostedtoolcache/node/24.14.0/x64/bin/node (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel ./gh-aw /usr/bin/git glossary-maintaigit /usr/bin/gh r: $owner, name:--show-toplevel git init�� (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel bash /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /bin/sh /usr/bin/git git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 3159945/b436/stringutil.test node epo.git --write ../../../pkg/worrev-parse 64/bin/go vsiWHJxF12LLI/8MBkAlss8NoqMJPDT0us/3YdcVDbgE0y5Gdx8vjli/alK5YuEvrev-parse -o ry=1 -trimpath ache/node/24.14.0/x64/bin/node -p github.com/githurev-parse -lang=go1.25 git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/gh /home/REDACTED/worgit l /usr/bin/git /usr/bin/gh api graphql -f /usr/bin/git -f owner=github -f git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --count 583a884deabaa3490418c97a40402077fc3b8c60..HEAD /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env .js' --ignore-path .prettierignore GO111MODULE .test GOINSECURE GOMOD GOMODCACHE .test (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE .cfg git rev-�� --show-toplevel go /usr/bin/git blog-auditor.md GO111MODULE 0/x64/bin/node git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --get remote.origin.url /usr/bin/git -json GO111MODULE 64/bin/go git init�� GOMODCACHE go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --get remote.origin.url /usr/lib/git-core/git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel .test /usr/bin/git -json GO111MODULE ache/uv/0.10.12/--show-toplevel git rev-�� --show-toplevel go /usr/bin/git heck '**/*.cjs' git GO111MODULE les.test git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --wriGOINSECURE go 64/bin/go tierignore GO111MODULE 64/bin/go node /hom�� --write ../../../**/*.js**/*.json 64/bin/go --ignore-path ../../../.pretti-c 64/bin/go go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --wriGOSUMDB go 64/bin/go -json GO111MODULE 64/bin/go go env h ../../../.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --write ../../../**/*.jsGOWORK 64/bin/go --ignore-path ../../../.pretti/home/REDACTED/.npm/_npx/b388654678d519d9/node_modules/.bin/prettier /sh go env h ../../../.pret.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha GOMODCACHE go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� -aw/git/ref/tags/v1.0.0 go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git conf�� user.email test@example.com /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node /home/REDACTED/worgit l r: $owner, name:--show-toplevel node /tmp�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/audit-workflows.md git /usr/bin/git /home/REDACTED/worgit l 0/x64/bin/bash git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel basename /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel bash /usr/bin/git git (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE sh -c runs/20260322-194515-37227/test-1874747449/.github/workflows GOPROXY /bin/sh l GOWORK 64/bin/go /bin/sh (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse .cfg ithub/workflows iptables /usr/bin/basenam--show-toplevel docker imag�� licyMinIntegrityOnlyCompiledOutput2282021406/001 mcp/markitdown 7676451/b309/vet.cfg ithub/workflows git /usr/bin/basenam--show-toplevel infocmp (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel grep /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel grep /usr/bin/git git (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env eference/frontmatter-full.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha epOnly,Imports,ImportMap,TestImports,XTestImpor GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuconfig env -json GO111MODULE repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha ck '**/*.cjs' '*remote.origin.url GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE go env ithub/workflows GO111MODULE r: $owner, name:-f GOINSECURE %H %ct %D 5fbf7035009a5b21xterm-color go (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config e remote.origin.urgrep GO111MODULE r: $owner, name: $name) { has--show-toplevel /usr/bin/gh s/ai�� graphql -f e -f owner=github -f infocmp (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility view @sentry/mcp-server@0.29.0 /usr/bin/docker ithub/workflows GO111MODULE ache/go/1.25.0/x--get docker imag�� inspect mcp/fetch /opt/hostedtoolcache/node/24.14.0/x64/bin/bash npx prettier --cbash GOPROXY me: String!) { --noprofile bash (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel bash r: $owner, name: $name) { hasDiscussionsEnabled } } --noprofile go me: String!) { graphql git rev-�� --show-toplevel git /usr/bin/git ithub/workflows config /usr/bin/infocmpinspect git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 4515-37227/test-4169010621 GO111MODULE 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE sh t-ha�� ithub/workflows/audit-workflows.md GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/infocmp ithub/workflows git /usr/bin/basenam--show-toplevel infocmp -1 xterm-color basename /usr/bin/infocmp ithub/workflows git /usr/bin/basenam--show-toplevel infocmp (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel grep /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp --show-toplevel grep /usr/bin/git infocmp (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/sh GOINSECURE GOMOD GOMODCACHE sh -c k/gh-aw/gh-aw/.github/workflows GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git k/gh-aw/gh-aw/.ggit s not exist yet"rev-parse $name) { has--show-toplevel git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config 7676451/b424/vet.cfg remote.origin.urgit config /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 git At,event,headBranch,headSha,displayTitle l rev-parse bin/bash git rev-�� artifacts-summary.md infocmp (http block)
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 82ce38138e39d2f9459240f0688b8b7724ff506b /usr/bin/git 0/x64/bin/node git /home/REDACTED/.lo--git-dir git rev-�� --show-toplevel bash 0/x64/bin/node --noprofile git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 config (http block)
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 Update initial file x_amd64/vet 0/x64/bin/node git /home/REDACTED/.do--show-toplevel x_amd64/vet rev-�� --show-toplevel bash 0/x64/bin/node --noprofile git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 /usr/bin/gh /usr/local/.ghcup/bin/bash ithub/workflows -f sh bash --no�� k/gh-aw/gh-aw/.github/workflows git me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } ithub/workflows config /usr/bin/gh gcc (http block)
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 node /usr/bin/git 0/x64/bin/node git /usr/local/.ghcu--show-toplevel git estl�� --show-toplevel bash x_amd64/compile --noprofile git /usr/bin/git x_amd64/compile (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE de_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE HC/wPHmRHH07drGotDxh6_4/9rUbv3kNVNgnGPLEQds7 (http block)
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 remote.origin.url (http block)
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 82ce38138e39d2f9459240f0688b8b7724ff506b..HEAD /usr/bin/git 0/x64/bin/node git /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel bash 0/x64/bin/node --noprofile git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE ules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 rev-parse /usr/bin/grep k/gh-aw/gh-aw/.ggit -f ache/node/24.14.--show-toplevel grep -E strict mode:|��|�� git 0/x64/bin/node /home/REDACTED/worgit config DiscussionsEnabl--show-toplevel /usr/bin/gh (http block)
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 82ce38138e39d2f9459240f0688b8b77-w x_amd64/vet 0/x64/bin/node git /home/REDACTED/go/--show-toplevel x_amd64/vet rev-�� --show-toplevel bash 0/x64/bin/node --noprofile git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 config me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } remote.origin.urgit go ed } } git rev-�� artifacts-summary.md /usr/bin/gh /usr/bin/infocmp graphql -f /usr/bin/infocmp--show-toplevel infocmp (http block)
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 82ce38138e39d2f9459240f0688b8b7724ff506b..HEAD /usr/bin/git 0/x64/bin/node git /opt/hostedtoolcgithub.event.inputs.branch git rev-�� --show-toplevel bash 0/x64/bin/node --noprofile git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE h GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 git /usr/bin/git l rev-parse /usr/bin/infocmp o "�� Warning: .github/aw/actions-lock.json does not exist yet"rev-parse conf�� k/gh-aw/gh-aw/.github/workflows remote.origin.url /usr/bin/gh ithub/workflows go /usr/bin/git /usr/bin/gh (http block)
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 node x_amd64/vet 0/x64/bin/node git /home/REDACTED/wor--show-toplevel x_amd64/vet rev-�� --show-toplevel bash 0/x64/bin/node --noprofile git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path run format:pkg-json 64/bin/go -json GO111MODULE /prettier go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 0/x64/bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env y_only_defaults_repo3454405159/001 GO111MODULE 0/x64/bin/npx GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha dependabot-burner git e ithub/workflows rev-parse /usr/bin/gh ./gh-aw s/sm�� github-mcp-tools-s /usr/bin/gh r: $owner, name:-buildmode=exe |mcp.*container -f status-update.md/tmp/TestHashStability_SameInputSameOutput830519038/001/stability-test.md ./gh-aw (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git k/gh-aw/gh-aw/.ggit config 0/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git ithub/workflows/git resolved$ /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go er -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --get remote.origin.url /usr/bin/git Action pins synmake rev-parse /usr/bin/git git conf�� --get remote.origin.url /usr/bin/git ithub/workflows rev-parse /home/REDACTED/.lo/tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_repos=public_4252266670/001 git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git ache/node/24.14.user.name git rev-�� --show-toplevel 459240f0688b8b7724ff506b /usr/bin/git --show-toplevel git cal/bin/bash git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go er -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha h ../../../.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha ithub/workflows git repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } k/gh-aw/gh-aw/.g/opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/cgo rev-parse /usr/bin/git basename .git�� .md d ndor/bin/bash ithub/workflows rev-parse /home/REDACTED/wor/tmp/TestGuardPolicyMinIntegrityOnlymin-integrity_with_repos_array_c2186662674/001 basename (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git ache/node/24.14.--show-toplevel git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git k/_temp/ghcca-no--show-toplevel git (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env json' --ignore-path ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha -json GO111MODULE ache/go/1.25.0/x-f GOINSECURE GOMOD GOMODCACHE go env 3fddd8ee:docs/src/content/docs/rremote.origin.url GO111MODULE e_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha ithub/workflows GO111MODULE nfig/composer/vendor/bin/git GOINSECURE GOMOD GOMODCACHE go env ithub/workflows GO111MODULE r: $owner, name: $name) { hasDiscussionsEnabled } } GOINSECURE GOMOD GOMODCACHE sh (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env y_with_explicit_repo3967999540/001 GO111MODULE x86_64/node GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ithub/workflows docker /usr/bin/git l mcp/markitdown /usr/bin/gh git rev-�� k/gh-aw/gh-aw/.github/workflows /usr/bin/gh /usr/bin/git l -f (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel infocmp /usr/bin/git k/gh-aw/gh-aw/.ggit bash (http block)
https://api.github.com/repos/nonexistent/repo/actions/runs/12345
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ndor/bin/sh GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion l config /usr/bin/gh git rev-�� k/gh-aw/gh-aw/.github/workflows /usr/bin/gh /usr/bin/gh graphql -f /usr/bin/infocmp--get-regexp /usr/bin/gh (http block)
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion 0/x64/bin/node git /usr/bin/git git ance�� 1307761750/.github/workflows git 0/x64/bin/node --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/owner/repo/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -json GO111MODULE 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo r: $owner, name: $name) { hasDiscussionsEnabled } } k/gh-aw/gh-aw/.g/usr/bin/gh rev-parse me: String!) { graphql x_amd64/asm .git�� ithub/workflows git /usr/bin/basenam-f /home/REDACTED/worgit config /usr/bin/git basename (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo $name) { hasDiscussionsEnabled } } graphql -f me: String!) { /home/REDACTED/work/gh-aw/gh-aw/.github/workflows grep er.m�� mary infocmp /usr/bin/grep xterm-color go repository(owne/home/REDACTED/work/gh-aw/gh-aw/.github/workflows grep (http block)
https://api.github.com/repos/owner/repo/contents/file.md
- Triggering command: /tmp/go-build4263159945/b400/cli.test /tmp/go-build4263159945/b400/cli.test -test.testlogfile=/tmp/go-build4263159945/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -json GO111MODULE 64/bin/go sh -c "prettier" --wriGOSUMDB go 64/bin/go -json GO111MODULE 64/bin/go go (http block)
- Triggering command: /tmp/go-build2297676451/b400/cli.test /tmp/go-build2297676451/b400/cli.test -test.testlogfile=/tmp/go-build2297676451/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true ithub/workflows config repository(ownexterm-color ./gh-aw s/la�� daily-performance-summary /usr/bin/gh e aw/actions-lock.infocmp -f /opt/hostedtoolcxterm-color ./gh-aw (http block)
- Triggering command: /tmp/go-build4279822392/b001/cli.test /tmp/go-build4279822392/b001/cli.test -test.testlogfile=/tmp/go-build4279822392/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s rev-�� --show-toplevel git /usr/bin/git --show-toplevel git ache/node/24.14.0/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git ache/node/24.14.0/x64/bin/node git (http block)
https://api.github.com/repos/test-owner/test-repo/actions/secrets
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --write scripts/**/*.js 64/bin/go .prettierignore --log-level=erro/opt/hostedtoolcache/node/24.14.0/x64/bin/npx 64/bin/go node /hom�� --write ../../../**/*.js**/*.json /node --ignore-path ../../../.prettilist 64/bin/go go (http block)
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name ithub/workflows infocmp /usr/bin/git l go (http block)
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel git ache/node/24.14.0/x64/bin/npm --show-toplevel git ache/node/24.14.0/x64/bin/node ache/node/24.14.0/x64/bin/npm rev-�� nly git /usr/bin/git --show-toplevel git ache/node/24.14.0/x64/bin/node git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

pelikhan · 2026-03-22T20:15:58Z

@copilot merge main and recompile

Copilot

Pull request overview

This PR removes internal/debug-only sandbox configuration details from public documentation and enforces that boundary by blocking internal sandbox customization fields when strict mode is enabled.

Changes:

Hides internal sandbox/MCP gateway execution fields from generated schema docs via x-internal: true.
Adds strict-mode compilation validation to reject internal sandbox customization fields, plus targeted unit tests.
Updates docs and internal workflows/tests to avoid exposing/using internal fields in strict mode (opt out with strict: false where needed).

Reviewed changes

Copilot reviewed 17 out of 17 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
`scripts/generate-schema-docs.js`	Skips `x-internal` schema properties during doc generation.
`pkg/workflow/strict_mode_sandbox_validation.go`	Adds strict-mode validation that rejects internal sandbox customization fields.
`pkg/workflow/strict_mode_sandbox_validation_test.go`	Adds unit tests covering strict/non-strict behavior for internal sandbox fields.
`pkg/workflow/compiler_orchestrator_engine.go`	Invokes the new strict sandbox customization validation during compilation.
`pkg/parser/schemas/main_workflow_schema.json`	Marks specific sandbox/MCP fields as `x-internal: true` in the schema.
`docs/src/content/docs/reference/sandbox.md`	Removes public documentation for internal AWF and MCP gateway execution customization.
`docs/src/content/docs/reference/frontmatter-full.md`	Regenerates the full frontmatter reference; internal fields are no longer included.
`pkg/workflow/sandbox_custom_agent_test.go`	Opts test fixtures using internal AWF customization out of strict mode.
`pkg/workflow/mcp_gateway_entrypoint_mounts_e2e_test.go`	Opts MCP gateway e2e tests using internal fields out of strict mode.
`.github/workflows/smoke-copilot.md`	Sets `strict: false` for internal smoke workflow that configures internal MCP container fields.
`.github/workflows/smoke-copilot.lock.yml`	Regenerated lock file reflecting `strict: false`.
`.github/workflows/smoke-copilot-arm.md`	Sets `strict: false` for ARM smoke workflow using internal MCP container fields.
`.github/workflows/smoke-copilot-arm.lock.yml`	Regenerated lock file reflecting `strict: false`.
`.github/workflows/smoke-codex.md`	Sets `strict: false` for smoke workflow using internal MCP container fields.
`.github/workflows/smoke-codex.lock.yml`	Regenerated lock file reflecting `strict: false`.
`.github/workflows/smoke-claude.md`	Sets `strict: false` for smoke workflow using internal MCP container fields.
`.github/workflows/smoke-claude.lock.yml`	Regenerated lock file reflecting `strict: false`.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-03-22T20:20:48Z

scripts/generate-schema-docs.js

+    // Skip internal-only properties (marked with "x-internal": true in the schema).
+    // These are implementation/debugging details not intended for end users.
+    if (resolvedProp["x-internal"] === true) {


The doc generator now skips properties marked x-internal: true, but the schema still has at least one x-internal field that is also required (sandbox.mcp.container). Skipping a required field produces an invalid/misleading YAML example in frontmatter-full.md (users can’t satisfy required schema fields from the generated docs). Consider either (a) ensuring x-internal fields are never required in the public schema, or (b) teaching the generator to still render required x-internal fields (possibly with an internal-only warning) so the output remains schema-valid.

Suggested change

// Skip internal-only properties (marked with "x-internal": true in the schema).

// These are implementation/debugging details not intended for end users.

if (resolvedProp["x-internal"] === true) {

// Skip internal-only properties (marked with "x-internal": true in the schema),

// but only when they are not required. Required internal fields are still rendered

// so that the generated YAML examples remain schema-valid.

if (resolvedProp["x-internal"] === true && !required.includes(propName)) {

Copilot · 2026-03-22T20:20:50Z

pkg/parser/schemas/main_workflow_schema.json

                "container": {
                  "type": "string",
+                  "x-internal": true,
                  "pattern": "^[a-zA-Z0-9][a-zA-Z0-9/:_.-]*$",
                  "description": "Container image for the MCP gateway executable (required)"
                },


sandbox.mcp.container is now marked x-internal: true, but the MCP schema still declares it as required (required: ["container"]). This creates a conflict: strict mode rejects sandbox.mcp.container, the public docs generator hides it, and schema validation will fail for workflows that set sandbox.mcp.port/api-key without container (as shown in docs/reference/sandbox.md). If the compiler supplies a default container/version, the schema should not require container (or should allow an object without it) so user-facing configs can validate.

Copilot · 2026-03-22T20:20:51Z

docs/src/content/docs/reference/frontmatter-full.md


+# Option 3: Set to false to disable the default checkout step. The agent job will
+# not check out any repository (dev-mode checkouts are unaffected).
+checkout: true


The checkout documentation for the boolean-disable option is inconsistent: the comment says "Set to false to disable" but the example shown is checkout: true. This appears to come from the schema-doc generator always emitting true for boolean variants; it should respect const: false/default for that variant so the generated reference is correct.

Suggested change

checkout: true

checkout: false

pelikhan · 2026-03-22T20:21:42Z

@copilot merge main recompile review comments

…-awf-mcp-docs # Conflicts: # docs/src/content/docs/reference/frontmatter-full.md

Copilot · 2026-03-22T20:22:28Z

@copilot merge main and recompile

Done in commit 17ec838. Merged main, resolved the conflict in the generated frontmatter-full.md by regenerating it, and recompiled — all 177 workflow files compile successfully.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw tTkQnly/a71V32Th-C (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build1870481304/b045/vet.cfg 0481304/b296/vet.cfg (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git --abbrev-ref HEAD x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git k/gh-aw/gh-aw/.ggit --name-only x_amd64/vet git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha xterm-color (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha graphql -f 0481304/b155/vet.cfg -f owner=github -f /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build1870481304/b022/vet.cfg 0481304/b282/vet.cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git ithub/workflows credential.helperev-parse x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git --verify copilot/remove-crev-parse x_amd64/vet git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha graphql ache/go/1.25.0/x64/src/internal/fuzz/counters_supported.go /usr/bin/gcc -f owner=github -f gcc -###�� -x c 0481304/b267/vet.cfg - (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha xterm-color (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config 0481304/b149/vet.cfg remote.origin.urgit (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha k/gh-aw/gh-aw/.github/workflows %(refname) 64/pkg/tool/linux_amd64/vet --merged d18ef23b8bafe6b2rev-parse (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel .cfg 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --get .cfg 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

…oolean variant docs Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/e4724ceb-85c4-4356-a097-03d500ec8c60

Copilot · 2026-03-22T20:29:40Z

@copilot merge main recompile review comments

Done in commit 75ff699. Addressed all three reviewer comments:

Schema required conflict (pkg/parser/schemas/main_workflow_schema.json) — removed container from required in sandbox.mcp; it's internal and the compiler supplies a default, so it should never be required from users.
Doc generator defensive check (scripts/generate-schema-docs.js) — x-internal fields are now only skipped when they're not required, so any future required-x-internal field still renders correctly in generated YAML examples.
Boolean variant checkout: false — fixed generateVariants to call getExampleValue(variant, propName) instead of hardcoding true, so the enum: [false] boolean variant now correctly emits checkout: false.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -unreachable=false /tmp/go-build3117179680/b045/vet.cfg 7179680/b303/vet.cfg (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha k/gh-aw/gh-aw/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet l (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha o actions/setup-go1.25.0 (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git a.out (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git ithub/workflows gpg.program x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git ithub/workflows (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha xterm-color (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha graphql -f 7179680/b155/vet.cfg -f owner=github -f /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build3117179680/b022/vet.cfg 7179680/b272/vet.cfg (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git ithub/workflows --local x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git ithub/workflows origin x_amd64/vet git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha graphql -f 7179680/b131/vet.cfg -f owner=github -f /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -o /tmp/go-build3117179680/b076/_pkg_.a -trimpath 7179680/b267/vet.cfg -p internal/fuzz -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha xterm-color (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config 7179680/b145/vet.cfg remote.origin.urgit (http block)
https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -t security 64/pkg/tool/linux_amd64/vet OUTPUT -d 168.63.129.16 64/pkg/tool/linux_amd64/vet -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet remote.origin.urgit -j DROP 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --noprofile .cfg 64/pkg/tool/linux_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha k/gh-aw/gh-aw/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet l (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
https://api.github.com/repos/githubnext/agentics/git/ref/tags/
- Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

…-awf-mcp-docs

…ow files

pelikhan · 2026-03-22T21:01:17Z

@copilot review errors in

CI / Integration Add with dispatch-workflow Dependencies (pull_request)Failing after 50s
CI / Integration: Workflow Infra (pull_request)
CI / Integration: Workflow Infra (pull_request)Failing after 42s
CI / Integration: Workflow Tools & MCP (pull_request)
CI / Integration: Workflow Tools & MCP (pull_request)Failing after 47s

…er; update pinned commit Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a3dc739a-cc65-422c-bfa3-73b3eeca1a83

Copilot · 2026-03-22T21:08:30Z

@copilot review errors in

[CI / Integration Add with dispatch-workflow Dependencies (pull_request)](https://github.com/github/gh-aw/actions/runs/23412385250/job/68101763287?pr=22...

Fixed in commit b7eff91. All three CI failures had the same root cause — test workflows using sandbox.mcp.container were being rejected by the new strict mode validation:

TestMCPGatewayVersionParsedFromSource (pkg/workflow/mcp_setup_generator_test.go) — added strict: false to the 4 test case frontmatter blocks that explicitly set sandbox.mcp.container.
TestAddWorkflowWithDispatchWorkflowFromSharedImport (pkg/cli/add_integration_test.go) — updated the pinned commit SHA from c93eec8 → c40d97c (the current branch HEAD), which contains strict: false in smoke-copilot.md.

Initial plan

001a08d

Copilot AI assigned Copilot and pelikhan Mar 22, 2026

Copilot started work on behalf of pelikhan March 22, 2026 19:26 View session

Copilot AI linked an issue Mar 22, 2026 that may be closed by this pull request

Make "Custom AWF Configuration" and " Custom MCP Gateway Configuration" internal-only, remove from docs #22307

Closed

dsyme mentioned this pull request Mar 22, 2026

Remove mounts support from agent sandbox, MCP gateway, and GitHub MCP server #22309

Closed

Copilot AI changed the title ~~[WIP] Make Custom AWF and MCP Gateway configurations internal only~~ docs(sandbox): remove Custom AWF Configuration and Custom MCP Gateway Configuration sections Mar 22, 2026

Copilot AI requested a review from pelikhan March 22, 2026 19:33

Copilot finished work on behalf of pelikhan March 22, 2026 19:33

Copilot started work on behalf of pelikhan March 22, 2026 19:33 View session

Copilot finished work on behalf of pelikhan March 22, 2026 20:06

pelikhan marked this pull request as ready for review March 22, 2026 20:15

Copilot AI review requested due to automatic review settings March 22, 2026 20:15

Copilot started work on behalf of pelikhan March 22, 2026 20:16 View session

Copilot started reviewing on behalf of pelikhan March 22, 2026 20:16 View session

Copilot AI reviewed Mar 22, 2026

View reviewed changes

Merge remote-tracking branch 'origin/main' into copilot/remove-custom…

17ec838

…-awf-mcp-docs # Conflicts: # docs/src/content/docs/reference/frontmatter-full.md

Copilot finished work on behalf of pelikhan March 22, 2026 20:23

Copilot started work on behalf of pelikhan March 22, 2026 20:23 View session

fix: address review comments - schema required/x-internal conflict, b…

75ff699

…oolean variant docs Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/e4724ceb-85c4-4356-a097-03d500ec8c60

Copilot finished work on behalf of pelikhan March 22, 2026 20:30

pelikhan added 2 commits March 22, 2026 20:59

Merge remote-tracking branch 'origin/main' into copilot/remove-custom…

137db7a

…-awf-mcp-docs

fix: update repository references from githubnext to github in workfl…

c40d97c

…ow files

Copilot started work on behalf of pelikhan March 22, 2026 21:01 View session

github-actions bot mentioned this pull request Mar 22, 2026

[Contribution Check Report] PR #22310 — docs(sandbox): remove Custom AWF/MCP Gateway Configuration sections #22320

Closed

fix: add strict: false to integration tests using sandbox.mcp.contain…

b7eff91

…er; update pinned commit Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a3dc739a-cc65-422c-bfa3-73b3eeca1a83

Copilot finished work on behalf of pelikhan March 22, 2026 21:09

pelikhan merged commit 4709c82 into main Mar 22, 2026
52 of 53 checks passed

pelikhan deleted the copilot/remove-custom-awf-mcp-docs branch March 22, 2026 21:26

-    // Skip internal-only properties (marked with "x-internal": true in the schema).
-    // These are implementation/debugging details not intended for end users.
-    if (resolvedProp["x-internal"] === true) {
+    // Skip internal-only properties (marked with "x-internal": true in the schema),
+    // but only when they are not required. Required internal fields are still rendered
+    // so that the generated YAML examples remain schema-valid.
+    if (resolvedProp["x-internal"] === true && !required.includes(propName)) {

Conversation

Copilot AI commented Mar 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Uh oh!

pelikhan commented Mar 22, 2026

Uh oh!

pelikhan commented Mar 22, 2026

Uh oh!

pelikhan commented Mar 22, 2026

Uh oh!

Copilot AI commented Mar 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan commented Mar 22, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Copilot AI Mar 22, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Mar 22, 2026

Choose a reason for hiding this comment

Uh oh!

Copilot AI Mar 22, 2026

Choose a reason for hiding this comment

Uh oh!

pelikhan commented Mar 22, 2026

Uh oh!

Copilot AI commented Mar 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Copilot AI commented Mar 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

pelikhan commented Mar 22, 2026

Uh oh!

Copilot AI commented Mar 22, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Mar 22, 2026 •

edited

Loading

Copilot AI commented Mar 22, 2026 •

edited

Loading

Copilot AI commented Mar 22, 2026 •

edited

Loading

Copilot AI commented Mar 22, 2026 •

edited

Loading