fix(pi): use api-proxy Docker service hostname for LLM gateway routing to enable /reflect access by Copilot · Pull Request #30045 · github/gh-aw

Copilot · 2026-05-04T03:26:23Z

Summary

The Pi engine's buildPiModelsJSON was constructing the LLM gateway baseUrl as http://host.docker.internal:PORT. This routes Pi's inference traffic to the host machine's port, bypassing the api-proxy Docker container's network interface entirely.

As a result, the api-proxy was never an active participant in the AWF Docker network when Pi ran. Its management endpoint (api-proxy:10000/reflect) was therefore unreachable from the agent container — explaining why dev (Pi engine) could not access /reflect while smoke-copilot (Copilot engine, which routes through the api-proxy transparently via Squid) could.

Root cause

	dev (Pi)	smoke-copilot (Copilot)
LLM routing	`http://host.docker.internal:10002` (host-side, bypasses api-proxy)	transparent via Squid → api-proxy
api-proxy active in Docker net?	❌ No	✅ Yes
`api-proxy:10000/reflect` reachable?	❌ No	✅ Yes

Fix

Change buildPiModelsJSON to use the api-proxy Docker service hostname (http://api-proxy:PORT). This routes Pi's LLM traffic through the api-proxy sidecar on the AWF Docker network, which initializes the proxy and makes /reflect respond. Using the service hostname is cleaner than a hardcoded IP and is consistent with how other containers reference each other within the AWF Docker network.

Also update the diagnostic logging helper resolveGatewayUrl in pi_provider.cjs to use the same api-proxy hostname for accuracy.

Changes

pkg/workflow/pi_engine.go: buildPiModelsJSON — host.docker.internal:PORT → http://api-proxy:PORT
pkg/workflow/pi_engine_test.go: Add firewall execution step tests (TestPiEngine_GetExecutionSteps_FirewallCopilotProvider, TestPiEngine_GetExecutionSteps_FirewallAnthropicProvider, TestPiEngine_GetExecutionSteps_FirewallCodexProvider) asserting api-proxy: is used and host.docker.internal is absent
actions/setup/js/pi_provider.cjs: resolveGatewayUrl logging — host.docker.internal:PORT → http://api-proxy:PORT
*.lock.yml: Recompiled — models.json base64 payload updated with new baseUrl

Verification

make fmt lint build recompile  →  all pass, 210/210 workflows compiled
go test -run "TestPi|TestBuildPiModels" ./pkg/workflow/  →  all pass

…pilot Agent-Logs-Url: https://github.com/github/gh-aw/sessions/5f990e7a-a34d-4cdf-bf2d-7b57564c37cb Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

… /reflect access The Pi engine was constructing models.json with `baseUrl: "http://host.docker.internal:PORT"`, which bypasses the api-proxy Docker container entirely. As a result, the api-proxy was never an active participant in the Docker network from Pi's perspective, making its management endpoint (api-proxy:10000/reflect) unreachable from the agent container. Fix buildPiModelsJSON to use constants.AWFAPIProxyContainerIP (172.30.0.30) via net.JoinHostPort, matching the pattern used by the Codex engine (codex_mcp.go). This routes Pi's LLM traffic through the api-proxy sidecar on the AWF Docker network, which initialises the proxy and makes /reflect respond. Also update resolveGatewayUrl in pi_provider.cjs (used for diagnostic logging) to use the same api-proxy container IP for accuracy. Add TestBuildPiModelsJSON_UsesAPIProxyContainerIP to assert the fix. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f07dcb97-a7b7-41f0-aeee-3837a13bb6d3 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

…ngine test Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f07dcb97-a7b7-41f0-aeee-3837a13bb6d3 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

pelikhan · 2026-05-04T03:32:09Z

@copilot merge main and recompile

Copilot

Pull request overview

Updates Pi engine gateway routing so LLM traffic goes through the AWF api-proxy sidecar (via its fixed container IP) instead of bypassing it via host.docker.internal, enabling /reflect access from the agent container.

Changes:

Switch Pi’s generated models.json baseUrl to http://<AWF api-proxy container IP>:<gatewayPort>.
Add a unit test asserting Pi models JSON uses the api-proxy container IP and not host.docker.internal.
Update Pi JS provider logging to resolve gateway URLs using the same container IP; recompile workflow lockfiles to embed updated models.json payloads.

Show a summary per file

File	Description
pkg/workflow/pi_engine.go	Build Pi `models.json` with `constants.AWFAPIProxyContainerIP` via `net.JoinHostPort` for gateway routing through api-proxy.
pkg/workflow/pi_engine_test.go	Add test coverage ensuring generated `baseUrl` uses api-proxy container IP (and not `host.docker.internal`).
actions/setup/js/pi_provider.cjs	Align diagnostic gateway URL resolution with api-proxy container IP (for accurate logging).
.github/workflows/workflow-skill-extractor.lock.yml	Recompiled lock output; updates embedded `models.json` payload and tool allowlist entries.
.github/workflows/ubuntu-image-analyzer.lock.yml	Recompiled lock output (tool allowlist entry changes).
.github/workflows/spec-librarian.lock.yml	Recompiled lock output (tool allowlist entry changes).
.github/workflows/spec-extractor.lock.yml	Recompiled lock output (tool allowlist entry changes).
.github/workflows/smoke-pi.lock.yml	Recompiled lock output; updates embedded `models.json` baseUrl to api-proxy container IP.
.github/workflows/layout-spec-maintainer.lock.yml	Recompiled lock output (tool allowlist entry changes).
.github/workflows/discussion-task-miner.lock.yml	Recompiled lock output (tool allowlist entry changes).
.github/workflows/dev.lock.yml	Recompiled lock output; updates embedded `models.json` baseUrl to api-proxy container IP.
.github/workflows/delight.lock.yml	Recompiled lock output (tool allowlist entry changes).
.github/workflows/daily-testify-uber-super-expert.lock.yml	Recompiled lock output (tool allowlist entry changes).
.github/workflows/daily-safe-output-integrator.lock.yml	Recompiled lock output (tool allowlist entry changes).
.github/workflows/daily-mcp-concurrency-analysis.lock.yml	Recompiled lock output (tool allowlist entry changes).
.github/workflows/daily-file-diet.lock.yml	Recompiled lock output (tool allowlist entry changes).
.github/workflows/daily-compiler-quality.lock.yml	Recompiled lock output (tool allowlist entry changes).
.github/workflows/copilot-cli-deep-research.lock.yml	Recompiled lock output (tool allowlist entry changes).
.github/workflows/ab-testing-advisor.lock.yml	Recompiled lock output (tool allowlist entry changes).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 19/19 changed files
Comments generated: 3

+// Fixed IP of the AWF api-proxy sidecar container within the AWF Docker network.
+// Matches constants.AWFAPIProxyContainerIP on the Go side.
+const AWF_API_PROXY_CONTAINER_IP = "172.30.0.30";


          # shellcheck disable=SC1003
          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull \
-            -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat *)'\'' --allow-tool '\''shell(cat > /tmp/gh-aw/agent/*.py)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find .github/workflows -name '\''\'\'''\''*.md'\''\'\'''\'')'\'' --allow-tool '\''shell(grep -r '\''\'\'''\''*'\''\'\'''\'' .github/workflows)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls *)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(python3 *)'\'' --allow-tool '\''shell(safeoutputs:*)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc *)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
+            -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-tool github --allow-tool safeoutputs --allow-tool '\''shell(cat *)'\'' --allow-tool '\''shell(cat > /tmp/gh-aw/agent/*.py)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find .github/workflows -name)'\'' --allow-tool '\''shell(grep -r)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls *)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(python3 *)'\'' --allow-tool '\''shell(safeoutputs:*)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc *)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log


          # shellcheck disable=SC1003
          sudo -E awf --config "${RUNNER_TEMP}/gh-aw/awf-config.json" --container-workdir "${GITHUB_WORKSPACE}" --mount "${RUNNER_TEMP}/gh-aw:${RUNNER_TEMP}/gh-aw:ro" --mount "${RUNNER_TEMP}/gh-aw:/host${RUNNER_TEMP}/gh-aw:ro" --env-all --exclude-env COPILOT_GITHUB_TOKEN --exclude-env GH_TOKEN --exclude-env GITHUB_MCP_SERVER_TOKEN --exclude-env MCP_GATEWAY_API_KEY --log-level info --proxy-logs-dir /tmp/gh-aw/sandbox/firewall/logs --audit-dir /tmp/gh-aw/sandbox/firewall/audit --enable-host-access --allow-host-ports 80,443,8080 --skip-pull --difc-proxy-host host.docker.internal:18443 --difc-proxy-ca-cert /tmp/gh-aw/difc-proxy-tls/ca.crt \
-            -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-tool github --allow-tool safeoutputs --allow-tool serena --allow-tool '\''shell(cat pkg/**/*.go)'\'' --allow-tool '\''shell(cat pkg/*/*.go)'\'' --allow-tool '\''shell(cat pkg/*/README.md)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find pkg -maxdepth 1 -type d)'\'' --allow-tool '\''shell(find pkg -name '\''\'\'''\''*.go'\''\'\'''\'' ! -name '\''\'\'''\''*_test.go'\''\'\'''\'' -type f)'\'' --allow-tool '\''shell(find pkg -name '\''\'\'''\''README.md'\''\'\'''\'' -type f)'\'' --allow-tool '\''shell(find pkg -type f -name '\''\'\'''\''*.go'\''\'\'''\'' ! -name '\''\'\'''\''*_test.go'\''\'\'''\'')'\'' --allow-tool '\''shell(find pkg/ -maxdepth 1 -ls)'\'' --allow-tool '\''shell(find pkg/* -maxdepth 0 -type d)'\'' --allow-tool '\''shell(find pkg/workflow/ -maxdepth 1 -ls)'\'' --allow-tool '\''shell(git log --oneline --since='\''\'\'''\''30 days ago'\''\'\'''\'' -- pkg/*)'\'' --allow-tool '\''shell(git log --oneline --since='\''\'\'''\''7 days ago'\''\'\'''\'' -- pkg/*/README.md)'\'' --allow-tool '\''shell(git log -1 --format=%H -- pkg/*)'\'' --allow-tool '\''shell(grep -r '\''\'\'''\''func '\''\'\'''\'' pkg --include='\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(grep -rn '\''\'\'''\''const [A-Z]'\''\'\'''\'' pkg --include='\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(grep -rn '\''\'\'''\''func [A-Z]'\''\'\'''\'' pkg --include='\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(grep -rn '\''\'\'''\''import '\''\'\'''\'' pkg --include='\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(grep -rn '\''\'\'''\''package '\''\'\'''\'' pkg --include='\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(grep -rn '\''\'\'''\''type [A-Z]'\''\'\'''\'' pkg --include='\''\'\'''\''*.go'\''\'\'''\'')'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head -n * pkg/**/*.go)'\'' --allow-tool '\''shell(head -n * pkg/*/*.go)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(safeoutputs:*)'\'' --allow-tool '\''shell(serena:*)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc -l pkg/**/*.go)'\'' --allow-tool '\''shell(wc -l pkg/*/*.go)'\'' --allow-tool '\''shell(wc -l pkg/*/README.md)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log
+            -- /bin/bash -c 'export PATH="${RUNNER_TEMP}/gh-aw/mcp-cli/bin:$PATH" && export PATH="$(find /opt/hostedtoolcache /home/runner/work/_tool -maxdepth 4 -type d -name bin 2>/dev/null | tr '\''\n'\'' '\'':'\'')$PATH"; [ -n "$GOROOT" ] && export PATH="$GOROOT/bin:$PATH" || true && GH_AW_NODE_EXEC="${GH_AW_NODE_BIN:-}"; if [ -z "$GH_AW_NODE_EXEC" ] || [ ! -x "$GH_AW_NODE_EXEC" ]; then GH_AW_NODE_EXEC="$(command -v node 2>/dev/null || echo node)"; fi; "$GH_AW_NODE_EXEC" ${RUNNER_TEMP}/gh-aw/actions/copilot_harness.cjs /usr/local/bin/copilot --add-dir /tmp/gh-aw/ --log-level all --log-dir /tmp/gh-aw/sandbox/agent/logs/ --disable-builtin-mcps --no-ask-user --allow-tool github --allow-tool safeoutputs --allow-tool serena --allow-tool '\''shell(cat pkg/**/*.go)'\'' --allow-tool '\''shell(cat pkg/*/*.go)'\'' --allow-tool '\''shell(cat pkg/*/README.md)'\'' --allow-tool '\''shell(cat)'\'' --allow-tool '\''shell(date)'\'' --allow-tool '\''shell(echo)'\'' --allow-tool '\''shell(find pkg -maxdepth 1 -type d)'\'' --allow-tool '\''shell(find pkg -name)'\'' --allow-tool '\''shell(find pkg -type f -name)'\'' --allow-tool '\''shell(find pkg/ -maxdepth 1 -ls)'\'' --allow-tool '\''shell(find pkg/* -maxdepth 0 -type d)'\'' --allow-tool '\''shell(find pkg/workflow/ -maxdepth 1 -ls)'\'' --allow-tool '\''shell(git log --oneline --since=)'\'' --allow-tool '\''shell(git log -1 --format=%H -- pkg/*)'\'' --allow-tool '\''shell(grep -r)'\'' --allow-tool '\''shell(grep -rn)'\'' --allow-tool '\''shell(grep)'\'' --allow-tool '\''shell(head -n * pkg/**/*.go)'\'' --allow-tool '\''shell(head -n * pkg/*/*.go)'\'' --allow-tool '\''shell(head)'\'' --allow-tool '\''shell(ls)'\'' --allow-tool '\''shell(pwd)'\'' --allow-tool '\''shell(safeoutputs:*)'\'' --allow-tool '\''shell(serena:*)'\'' --allow-tool '\''shell(sort)'\'' --allow-tool '\''shell(tail)'\'' --allow-tool '\''shell(uniq)'\'' --allow-tool '\''shell(wc -l pkg/**/*.go)'\'' --allow-tool '\''shell(wc -l pkg/*/*.go)'\'' --allow-tool '\''shell(wc -l pkg/*/README.md)'\'' --allow-tool '\''shell(wc)'\'' --allow-tool '\''shell(yq)'\'' --allow-tool write --allow-all-paths --add-dir "${GITHUB_WORKSPACE}" --prompt-file /tmp/gh-aw/aw-prompts/prompt.txt' 2>&1 | tee -a /tmp/gh-aw/agent-stdio.log


pelikhan · 2026-05-04T03:39:07Z

@copilot merge main and recompile

…lags-dev-smoke-copilot # Conflicts: # .github/workflows/dev.lock.yml # .github/workflows/smoke-pi.lock.yml # actions/setup/js/pi_provider.cjs # pkg/workflow/pi_engine.go # pkg/workflow/pi_engine_test.go Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot · 2026-05-04T03:41:19Z

@copilot merge main and recompile

Done in e05ccc1. Merged origin/main and recompiled — 210/210 workflows updated. Lock files now use baseUrl: http://api-proxy:PORT (Docker service hostname, from main's approach).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw "$k=".$v["localapi (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw QJ/0SVrKXfNFAsoc-C (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 7276506/b230/vet.cfg sv (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /ref/tags/v9 7276506/b236/vet.cfg sv (http block)
https://api.github.com/repos/actions/download-artifact/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --noprofile .cfg $name) { hasDiscussionsEnabled } } (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --noprofile (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows x_amd64/vet $name) { hasDiscussionsEnabled } } l awf-flags-dev-smapi $name) { has/repos/actions/github-script/git/ref/tags/v9 git -C k/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git l --local 64/pkg/tool/linu/repos/docker/metadata-action/git/ref/tags/v6 git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v9
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv INVALID,NEW -j DROP (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -c=4 -nolocalimports -importcfg /tmp/go-build3477276506/b369/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/workflow/features_import_test.go /home/REDACTED/work/gh-aw/gh-aw/pkg/workflow/import_schema_test.go (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows 7276506/b227/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv ithub/workflows (http block)
https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv -unreachable=false /tmp/go-build3477276506/b224/vet.cfg e-output-integrator.lock.yml (http block)
- Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 /tmp/go-build3477276506/b236/vet.cfg bject.type] | @tsv (http block)
https://api.github.com/repos/docker/metadata-action/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --verify .cfg repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
- Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --verify .cfg 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.gremote.origin.url -f repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } l owner=github -f /usr/bin/gh api k/gh-aw/gh-aw/.g-f -f /usr/bin/git l owner=github DiscussionsEnabl/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --verify .cfg 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --verify .cfg iew.lock.yml (http block)
- Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows config rcer.lock.yml remote.origin.urgit (http block)
https://api.github.com/repos/github/gh-aw
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch ithub/workflows (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch /ref/tags/v9 -- sv name .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw git -C k/gh-aw/gh-aw/.github/workflows rev-parse r: $owner, name: $name) { hasDiscussionsEnabled } } HEAD .cfg ache/go/1.25.8/x/home/REDACTED/work/gh-aw/gh-aw infocmp (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Copilot · 2026-05-04T03:45:56Z

@copilot merge main and recompile

The branch is already up to date with main — the merge was done in e05ccc1 and origin/main hasn't moved since. Nothing new to merge or recompile.

github-actions · 2026-05-04T03:55:23Z

✅ Dev completed successfully!

pelikhan · 2026-05-04T04:03:32Z

@lpcox Why would the reflect endpoint not be enabled?

lpcox · 2026-05-04T04:15:08Z

The /reflect endpoint is enabled in the api-proxy. It's served by handleManagementEndpoint() in containers/api-proxy/server.js (line 629), but only on port 10000 (the OpenAI/management port, which has isManagementPort: true).

The issue was that Pi routed LLM traffic through host.docker.internal:PORT, which goes to the host machine's port-forward — bypassing the api-proxy Docker container entirely. Since the api-proxy container was never an active participant in the AWF Docker network, its management port (10000) was unreachable from the agent container, and /reflect returned nothing.

This PR correctly fixes it by routing through the api-proxy Docker service hostname instead, which keeps the api-proxy container active on the network and makes /reflect (and /health, /metrics) accessible.

Copilot AI and others added 3 commits May 4, 2026 02:51

Analysis: why dev cannot access AWF /reflect endpoint unlike smoke-co…

59c7f1a

…pilot Agent-Logs-Url: https://github.com/github/gh-aw/sessions/5f990e7a-a34d-4cdf-bf2d-7b57564c37cb Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

refactor(test): improve readability of nested type assertions in pi e…

c294b9d

…ngine test Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f07dcb97-a7b7-41f0-aeee-3837a13bb6d3 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI assigned Copilot and pelikhan May 4, 2026

Copilot created this pull request from a session on behalf of pelikhan May 4, 2026 03:27 View session

Copilot finished work on behalf of pelikhan May 4, 2026 03:28

Copilot AI requested a review from pelikhan May 4, 2026 03:28

pelikhan marked this pull request as ready for review May 4, 2026 03:31

Copilot AI review requested due to automatic review settings May 4, 2026 03:31

Copilot started work on behalf of pelikhan May 4, 2026 03:32 View session

Copilot started reviewing on behalf of pelikhan May 4, 2026 03:32 View session

Copilot AI reviewed May 4, 2026

View reviewed changes

Copilot AI changed the title ~~fix(pi): use api-proxy container IP for LLM gateway routing to enable /reflect access~~ fix(pi): use api-proxy Docker service hostname for LLM gateway routing to enable /reflect access May 4, 2026

Copilot finished work on behalf of pelikhan May 4, 2026 03:42

Copilot started work on behalf of pelikhan May 4, 2026 03:42 View session

Copilot finished work on behalf of pelikhan May 4, 2026 03:47

pelikhan added the dev label May 4, 2026

github-actions Bot removed the dev label May 4, 2026

pelikhan added the awf label May 4, 2026

pelikhan merged commit 0836de2 into main May 4, 2026
359 checks passed

pelikhan deleted the copilot/compare-awf-flags-dev-smoke-copilot branch May 4, 2026 04:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(pi): use api-proxy Docker service hostname for LLM gateway routing to enable /reflect access#30045

fix(pi): use api-proxy Docker service hostname for LLM gateway routing to enable /reflect access#30045
pelikhan merged 4 commits into
mainfrom
copilot/compare-awf-flags-dev-smoke-copilot

Copilot AI commented May 4, 2026 •

edited

Loading

Uh oh!

pelikhan commented May 4, 2026

Uh oh!

Copilot AI left a comment

Uh oh!

pelikhan commented May 4, 2026

Uh oh!

Copilot AI commented May 4, 2026 •

edited

Loading

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Copilot AI commented May 4, 2026

Uh oh!

github-actions Bot commented May 4, 2026 •

edited

Loading

Uh oh!

pelikhan commented May 4, 2026

Uh oh!

lpcox commented May 4, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

Copilot AI commented May 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Root cause

Fix

Changes

Verification

Uh oh!

pelikhan commented May 4, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Copilot's findings

Uh oh!

pelikhan commented May 4, 2026

Uh oh!

Copilot AI commented May 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Copilot AI commented May 4, 2026

Uh oh!

github-actions Bot commented May 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

pelikhan commented May 4, 2026

Uh oh!

lpcox commented May 4, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Copilot AI commented May 4, 2026 •

edited

Loading

Copilot AI commented May 4, 2026 •

edited

Loading

github-actions Bot commented May 4, 2026 •

edited

Loading