chore: centralize BUG panic for invalid model in domain computation (#30310)

Author: Copilot

pkg/workflow/crush_engine.go

@@ -171,17 +171,13 @@ func (e *CrushEngine) GetExecutionSteps(workflowData *WorkflowData, logFile stri
 			// The model was validated by validateUniversalLLMConsumerModel before reaching here,
 			// so a malformed model (e.g. leading slash) must never occur. Panic is the correct
 			// response to an internal invariant violation.
-			var err error
-			allowedDomains, err = GetAllowedDomainsForEngineWithModel(
+			allowedDomains = mustGetAllowedDomainsForEngineWithModel(
 				constants.CrushEngine,
 				model,
 				workflowData.NetworkPermissions,
 				workflowData.Tools,
 				workflowData.Runtimes,
 			)
-			if err != nil {
-				panic(fmt.Sprintf("BUG: invalid model %q reached domain computation (should have been caught by validation): %v", model, err))
-			}
 		}
 
 		npmPathSetup := GetNpmBinPathSetup()

pkg/workflow/domains.go

@@ -775,6 +775,17 @@ func GetAllowedDomainsForEngineWithModel(engine constants.EngineName, model stri
 	return mergeDomainsWithNetworkToolsAndRuntimes(defaults, network, tools, runtimes), nil
 }
 
+// mustGetAllowedDomainsForEngineWithModel is like GetAllowedDomainsForEngineWithModel but
+// panics if the model is malformed. It is intended for call sites where the model has
+// already been validated and an error represents an internal invariant violation (BUG).
+func mustGetAllowedDomainsForEngineWithModel(engine constants.EngineName, model string, network *NetworkPermissions, tools map[string]any, runtimes map[string]any) string {
+	result, err := GetAllowedDomainsForEngineWithModel(engine, model, network, tools, runtimes)
+	if err != nil {
+		panic(fmt.Sprintf("BUG: invalid model %q reached domain computation (should have been caught by validation): %v", model, err))
+	}
+	return result
+}
+
 // GetAllowedDomainsForEngine merges the engine's default domains with NetworkPermissions,
 // HTTP MCP server domains, and runtime ecosystem domains.
 // Returns a deduplicated, sorted, comma-separated string suitable for AWF's --allow-domains flag.

pkg/workflow/opencode_engine.go

@@ -129,17 +129,13 @@ func (e *OpenCodeEngine) GetExecutionSteps(workflowData *WorkflowData, logFile s
 			// The model was validated by validateUniversalLLMConsumerModel before reaching here,
 			// so a malformed model (e.g. leading slash) must never occur. Panic is the correct
 			// response to an internal invariant violation.
-			var err error
-			allowedDomains, err = GetAllowedDomainsForEngineWithModel(
+			allowedDomains = mustGetAllowedDomainsForEngineWithModel(
 				constants.OpenCodeEngine,
 				model,
 				workflowData.NetworkPermissions,
 				workflowData.Tools,
 				workflowData.Runtimes,
 			)
-			if err != nil {
-				panic(fmt.Sprintf("BUG: invalid model %q reached domain computation (should have been caught by validation): %v", model, err))
-			}
 		}
 
 		npmPathSetup := GetNpmBinPathSetup()

pkg/workflow/pi_engine.go

@@ -337,11 +337,7 @@ func (e *PiEngine) GetExecutionSteps(workflowData *WorkflowData, logFile string)
 			}
 			// The model was validated before reaching here; a malformed model (leading slash)
 			// must never occur at this point — panic is the correct invariant guard.
-			var err error
-			allowedDomains, err = GetAllowedDomainsForEngineWithModel(constants.PiEngine, model, workflowData.NetworkPermissions, workflowData.Tools, workflowData.Runtimes)
-			if err != nil {
-				panic(fmt.Sprintf("BUG: invalid Pi model %q reached domain computation (should have been caught by validation): %v", model, err))
-			}
+			allowedDomains = mustGetAllowedDomainsForEngineWithModel(constants.PiEngine, model, workflowData.NetworkPermissions, workflowData.Tools, workflowData.Runtimes)
 		}
 		if workflowData.EngineConfig != nil && workflowData.EngineConfig.APITarget != "" {
 			allowedDomains = mergeAPITargetDomains(allowedDomains, workflowData.EngineConfig.APITarget)