Skip to content

[awf] API proxy: validate Copilot model before agent launch to prevent misleading auth errors #4566

Description

@lpcox

Problem

When a workflow sets engine.model: gpt-5-codex (a retired model), AWF passes the literal string as COPILOT_MODEL to the Copilot CLI without validation. The agent fails with a provider authentication-style error rather than a clear "model unavailable" message, misleading operators into thinking their API keys are wrong.

Context

Source issue: github/gh-aw#35032

Affected config:

engine:
  id: copilot
  model: gpt-5-codex

Root Cause

pkg/workflow/engine.go:285-289 copies the raw YAML engine.model string into EngineConfig.Model without resolving aliases or checking availability. AWF then surfaces an opaque auth failure from the Copilot process instead of a model-resolution error.

Proposed Solution

  • In src/cli.ts (or a new src/model-validator.ts), add pre-flight model validation against a known list of supported/retired models before starting containers.
  • When --enable-api-proxy is active (containers/api-proxy/), the API proxy should return a 400 Bad Request with a descriptive body when the requested model is retired or unknown, rather than forwarding a request that produces an auth-flavored error.
  • Log a clear warning: "Model 'gpt-5-codex' is retired; did you mean 'gpt-5.3-codex'?" before exiting with a non-zero code.

Generated by Firewall Issue Dispatcher · sonnet46 2.5M ·

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions