Remove cli-proxy-writable feature flag and add read-only gh CLI prompt for cli-proxy

[Copilot]

The cli-proxy-writable feature flag (introduced alongside cli-proxy) enabled write operations via the gh CLI proxy sidecar. Decision: the agent's gh CLI should be read-only; write operations must go through the safe-outputs / GitHub MCP path which has proper guard policies and audit logging.

Additionally, when cli-proxy is enabled the compiler now injects a special prompt directing the agent to use gh CLI for GitHub reads (and safeoutputs for writes when safe-outputs is also configured), and the GitHub MCP server is not registered with the gateway.

Changes

• pkg/constants/feature_constants.go — Remove CliProxyWritableFeatureFlag constant
• pkg/workflow/awf_helpers.go — Remove --cli-proxy-writable injection block
• pkg/workflow/awf_helpers_test.go — Remove two test cases (cli-proxy-writable enabled, cli-proxy-writable without cli-proxy) and clean up remaining --cli-proxy-writable assertions
• .changeset/minor-add-cli-proxy-feature-flag.md — Update description to reflect read-only-only cli-proxy flag
• actions/setup/md/cli_proxy_prompt.md — New prompt instructing the agent to use pre-authenticated gh CLI for GitHub reads; no GitHub MCP server available
• actions/setup/md/cli_proxy_with_safeoutputs_prompt.md — Same as above, plus directs the agent to use safeoutputs for GitHub writes
• pkg/workflow/prompt_constants.go — Add constants for the two new prompt files
• pkg/workflow/unified_prompt_step.go — When cli-proxy is enabled, inject the cli-proxy prompt instead of the GitHub MCP tools prompt (always injected when the flag is set, regardless of whether tools.github is configured)
• pkg/workflow/mcp_setup_generator.go — Skip registering the GitHub MCP server with the gateway when cli-proxy is enabled
• pkg/workflow/unified_prompt_step_test.go — Add TestCollectPromptSections_CliProxy covering all four prompt-selection scenarios

[lpcox]

@copilot when cli-proxy is enabled the agent will need a special prompt telling it to use the gh cli for github read operations and safeoutputs for github write operations. the github mcp server should also not be configured/registered with the gateway, and the agent prompt should not mention the github mcp server.

[Copilot]

Pull request overview

Removes the deprecated cli-proxy-writable feature flag to ensure the agent’s gh CLI proxy remains read-only, with write operations routed through the safe-outputs / GitHub MCP path.

Changes:

• Removed the CliProxyWritableFeatureFlag constant and all remaining references.
• Stopped injecting --cli-proxy-writable into the AWF firewall command args.
• Updated tests and the changeset to reflect the read-only cli-proxy behavior.

Show a summary per file

File	Description
pkg/constants/feature_constants.go	Drops the CliProxyWritableFeatureFlag identifier and its documentation block.
pkg/workflow/awf_helpers.go	Removes --cli-proxy-writable injection logic from BuildAWFArgs.
pkg/workflow/awf_helpers_test.go	Removes writable-flag test cases and related assertions.
.changeset/minor-add-cli-proxy-feature-flag.md	Updates release note text to describe read-only cli-proxy behavior.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 0

[Copilot]

@copilot when cli-proxy is enabled the agent will need a special prompt telling it to use the gh cli for github read operations and safeoutputs for github write operations. the github mcp server shou...

Done in commit fde73c3. When cli-proxy is enabled:

1. Special prompt injected — cli_proxy_prompt.md (or cli_proxy_with_safeoutputs_prompt.md when safe-outputs is also enabled) is added to the agent's instructions, directing it to use gh CLI for GitHub reads and safeoutputs for writes. The GitHub MCP tools prompt is not included.

2. GitHub MCP server not registered — the generateMCPSetup loop now skips adding "github" to the mcpTools list when cli-proxy is enabled, so the server is never configured or started with the gateway.

3. No mention of GitHub MCP server — the injected cli-proxy prompt only mentions gh CLI and safeoutputs; the GitHub MCP tools guidance files (which reference the MCP server) are not shown.