Skip to content

Add declarative custom-engine frontmatter and migrate Crush/OpenCode to shared behavior definitions#44465

Merged
pelikhan merged 88 commits into
mainfrom
copilot/define-agentic-engine-syntax
Jul 14, 2026
Merged

Add declarative custom-engine frontmatter and migrate Crush/OpenCode to shared behavior definitions#44465
pelikhan merged 88 commits into
mainfrom
copilot/define-agentic-engine-syntax

Conversation

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

This introduces a richer engine-definition frontmatter shape for shared/custom agentic engines and uses it to move Crush and OpenCode off bespoke Go implementations onto a common declarative runtime path. The new syntax is expressive enough for CLI-style engines that need install, config, execution, MCP, capability, and auth wiring, including Auggie-like cases.

  • New engine-definition surface

    • Adds engine.experimental, engine.auth, and engine.behaviors to the named engine definition form.
    • behaviors captures the runtime contract instead of hard-coding it in Go:
      • capabilities
      • manifest files/path prefixes
      • installation metadata
      • config file generation
      • execution command/args/env
      • MCP config target
    • auth provides explicit secret bindings for engines that need engine-specific credentials forwarded into the runtime.
  • Shared behavior-defined runtime

    • Adds a generic BehaviorDefinedEngine that materializes a CodingAgentEngine from frontmatter.
    • Reuses the existing universal provider/model routing where applicable, but also supports engine-specific secret/env bindings for nonstandard CLIs.
    • Registers imported named engine definitions during compilation so shared workflows can define engines declaratively instead of requiring Go registration.
  • Crush/OpenCode refactor

    • Replaces the bespoke Crush/OpenCode runtime logic with thin wrappers over builtin engine definitions.
    • Moves engine-specific behavior into:
      • pkg/workflow/data/engines/crush.md
      • pkg/workflow/data/engines/opencode.md
    • Keeps their existing runtime identity while making their install/config/execute behavior data-driven.
  • Schema and docs

    • Extends the workflow schema and frontmatter reference docs to describe the new engine-definition fields.
    • Documents the custom-engine shape with behavior blocks and auth bindings so new engines can be added without copy-pasting a dedicated Go implementation.
  • Coverage

    • Adds/updates tests for:
      • schema shape
      • builtin engine definitions
      • imported behavior-defined engines
      • Crush/OpenCode parity through the shared path
    • Includes an imported Auggie-style engine example to exercise explicit auth binding and declarative execution.

Example of the new shared engine definition shape:

engine:
  id: auggie
  display-name: Auggie
  experimental: true
  auth:
    - role: session
      secret: AUGMENT_SESSION_AUTH
  behaviors:
    supported-env-var-keys:
      - AUGMENT_SESSION_AUTH
    installation:
      package-manager: npm
      package-name: "@augmentcode/auggie"
      version: "1.0.0"
      step-name: Install Auggie
      binary-name: auggie
      include-node-setup: true
    config-file:
      path: .auggie.json
      step-name: Write Auggie Config
      content: '{"sandbox":"workspace-write"}'
      merge-strategy: json-merge
    execution:
      command-name: auggie
      args: [run]
      step-name: Execute Auggie CLI
      model-env-var: AUGGIE_MODEL
      mcp-config-env-var: AUGGIE_MCP_CONFIG
      write-timestamp: true

Generated by 👨‍🍳 PR Sous Chef · 10.4 AIC · ⌖ 5.15 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 16.6 AIC · ⌖ 7.21 AIC · ⊞ 4.7K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 8.9 AIC · ⌖ 5.99 AIC · ⊞ 4.7K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 6.57 AIC · ⌖ 6.74 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 4.36 AIC · ⌖ 7.98 AIC · ⊞ 4.7K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 7.94 AIC · ⌖ 6.73 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 9.71 AIC · ⌖ 6.72 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 12.5 AIC · ⌖ 6.14 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 4.34 AIC · ⌖ 5.93 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 11.3 AIC · ⌖ 6.23 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 10.4 AIC · ⌖ 4.23 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 11.7 AIC · ⌖ 6.78 AIC · ⊞ 4.2K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 4.72 AIC · ⌖ 6.03 AIC · ⊞ 7.5K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 6.21 AIC · ⌖ 8.01 AIC · ⊞ 7.5K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 9.13 AIC · ⌖ 8 AIC · ⊞ 5.1K ·
Comment /souschef to run again

Copilot AI and others added 3 commits July 9, 2026 03:49
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title Add declarative frontmatter syntax for custom agentic engines Add declarative custom-engine frontmatter and migrate Crush/OpenCode to shared behavior definitions Jul 9, 2026
Copilot AI requested a review from pelikhan July 9, 2026 04:18
@pelikhan

pelikhan commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

@copilot remove crush/opencode from Go code and only keep them as shared agentic workflow files.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan

pelikhan commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

@copilot create a new instruction file to help with configuring new agentic engines

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@copilot remove crush/opencode from Go code and only keep them as shared agentic workflow files.

Addressed in 5537932.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@copilot create a new instruction file to help with configuring new agentic engines

Addressed in ab02806.

@pelikhan

pelikhan commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

@copilot merge main and recompile
Run pr-finisher skill

Copilot AI and others added 3 commits July 9, 2026 05:20
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…c-engine-syntax

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@copilot merge main and recompile
Run pr-finisher skill

Addressed in 1610bec.

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

pr-sous-chef
@copilot please run the pr-finisher skill, ensure the branch is up to date, address any remaining review feedback, and rerun checks.
...

  • ✅ Reviews — All 4 review threads are resolved (AWF exclude-env secret handling, required secret propagation, MCP config env wiring, config-file parent-directory creation).
  • ✅ Checks (local) — make fmt, make lint, make test-unit, make agent-report-progress all pass. 257/257 workflows compiled, 0 errors, lock files in sync.
  • ❓ Checks (CI) — Stale after last agent push (c5f4d10). The latest Smoke OpenCode run (29285992583 on 29efc4c) failed with a 10-minute timeout on the "Execute OpenCode CLI" step — root cause: providerID=awf-proxy was still in play on that commit. That was fixed in c5f4d10 (removed the custom awf-proxy provider block from opencode.jsonc; OpenCode now uses its built-in copilot provider with GITHUB_COPILOT_BASE_URL and standard env injection). All other CI runs are action_required (pending maintainer approval, not code failures).
  • ✅ Mergeable — Branch is up to date with main (0 commits behind, head c5f4d10), no conflicts.

Actions taken: none — working tree is clean, all previous fixes are in place.

Hand-off: A maintainer needs to /smoke-opencode on the current HEAD (c5f4d10) to confirm green before merge.

@pelikhan

Copy link
Copy Markdown
Collaborator

Copilot AI and others added 2 commits July 14, 2026 02:59
…er with internal IP

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…172.30.0.30:10002)

OpenCode v1.2.14 uses @ai-sdk/openai@3.x for built-in providers (copilot, openai),
which always routes to the OpenAI Responses API (/v1/responses). The AWF proxy only
supports /v1/chat/completions, so every request fails with HTTP 503.

The fix is to use a custom provider name ("awf-proxy") which causes OpenCode to fall
back to @ai-sdk/openai-compatible, which ONLY uses Chat Completions API.

Previous fix (c5f4d10) used http://host.docker.internal:10002 as the api URL, but
from inside the AWF container this resolves to the Docker host machine's LLM gateway
which requires a real Copilot token and rejects the placeholder key.

Correct fix: use http://172.30.0.30:10002/v1 (constants.AWFAPIProxyContainerIP) which
is the internal Docker network address of the AWF api-proxy sidecar. This endpoint
accepts the awf-copilot-proxy placeholder key because the proxy handles token steering
internally.

Also adds 172.30.0.30 and 172.30.0.30:PORT entries to AWFNoProxyHosts so that Bun
(which backs OpenCode) bypasses Squid when making requests to the internal api-proxy.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

@copilot OpenCode is misconfigured https://github.com/github/gh-aw/actions/runs/29301322952/job/86985617751#step:28:1

Fixed in commit ddf530c.

Root cause: OpenCode v1.2.14 uses @ai-sdk/openai@3.x for its built-in providers (copilot, openai). That SDK's sdk.responses(modelID) always routes to /v1/responses (OpenAI Responses API), which the AWF api-proxy does not support — it only handles /v1/chat/completions. This causes every request to fail.

Why the previous fix (c5f4d10) also failed: It switched back to the built-in copilot provider, which still routes to /v1/responses. Same failure mode, different path.

Actual fix (restored approach with correct IP):

  1. Custom awf-proxy provider — OpenCode treats any provider name not in its models.dev database as an "openai-compatible" provider, which uses @ai-sdk/openai-compatible → Chat Completions API only. This is what we need.
  2. Correct API URL: http://172.30.0.30:10002/v1 — The AWFAPIProxyContainerIP (172.30.0.30) is the fixed internal Docker network IP of the AWF api-proxy sidecar. The previous attempt used host.docker.internal:10002, which from inside the AWF container resolves to the Docker host machine's LLM gateway — which requires a real token and returns 503. The internal sidecar at 172.30.0.30 accepts the awf-copilot-proxy placeholder key and steers the token internally.
  3. Added 172.30.0.30 to AWFNoProxyHosts — Bun (OpenCode's HTTP runtime) compares the full host:port string against NO_PROXY, so both 172.30.0.30 and 172.30.0.30:10002 are explicitly listed to bypass Squid.

A maintainer /smoke-opencode is needed to verify the fix in CI.

@pelikhan

Copy link
Copy Markdown
Collaborator

/smoke-opencode

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke OpenCode MISSION COMPLETE! OpenCode delivered. 🔥

@pelikhan

Copy link
Copy Markdown
Collaborator

Copilot AI and others added 2 commits July 14, 2026 04:17
…ions

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…int is /chat/completions not /v1/chat/completions)

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

@copilot error with connection https://github.com/github/gh-aw/actions/runs/29303183562/job/86991186603#step:28:1

Fixed in commit fix: remove /v1 suffix from OpenCode awf-proxy API URL.

Root cause: The AWF api-proxy sidecar at port 10002 serves the Copilot API format, which uses /chat/completions (no /v1 prefix). The opencode.md config had "api": "http://172.30.0.30:10002/v1", causing @ai-sdk/openai-compatible to append /chat/completions and call http://172.30.0.30:10002/v1/chat/completions → 404.

Fix: Changed to "api": "http://172.30.0.30:10002" so the SDK calls http://172.30.0.30:10002/chat/completions, matching the Copilot API endpoint format.

Please /smoke-opencode to verify.

@pelikhan

Copy link
Copy Markdown
Collaborator

/smoke-opencode

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke OpenCode MISSION COMPLETE! OpenCode delivered. 🔥

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot pick an older model compatible with completions

https://github.com/github/gh-aw/actions/runs/29313009110/job/87020905713#step:28:1

Copilot AI and others added 2 commits July 14, 2026 07:26
…atibility

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

@copilot pick an older model compatible with completions

https://github.com/github/gh-aw/actions/runs/29313009110/job/87020905713#step:28:1

Switched to gpt-4.1 in both smoke-opencode.md and the awf-proxy provider models in opencode.md. gpt-5.5 uses OpenAI's Responses API (/v1/responses) which the AWF api-proxy doesn't support — gpt-4.1 routes via chat completions as expected.

Fixed in commit fix: use gpt-4.1 for OpenCode smoke test (chat completions compatible).

@pelikhan

Copy link
Copy Markdown
Collaborator

@copilot use sonnet 4.5 level model , not gpt-4.1

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 10.1 AIC · ⌖ 6.64 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

@copilot use sonnet 4.5 level model , not gpt-4.1

Done. Switched to copilot/claude-sonnet-4.5 in both smoke-opencode.md (the workflow model) and the awf-proxy provider models block in opencode.md. Workflows recompiled successfully (257/257, 0 errors).

@pelikhan

Copy link
Copy Markdown
Collaborator

/smoke-opencode

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

🚀 Smoke OpenCode MISSION COMPLETE! OpenCode delivered. 🔥

@github-actions

Copy link
Copy Markdown
Contributor

Sighthound Security Scan — PR #44465

127 total findings (84 in non-test production files, 13 in testdata, 30 in test files).

After manual triage, the vast majority are false positives.


🟡 False Positives (no action needed)

Category Count Why it is a false positive
Unsafe Deserialization 55 yaml.Unmarshal into strongly-typed Go structs — no arbitrary code execution possible
Command Injection 11 All use exec.Command(binary, arg1, arg2, ...) with separate args, never a shell -c string
DOM-based XSS 2 cell.setAttribute("data-label", th.textContent) and errorText.textContent = result.error — both use safe APIs
Template Injection 1 Same as above (textContent) — safe
Path Traversal (scripts) 4 Dev-time build scripts with developer-controlled inputs
Path Traversal (actions/setup) 1 Writes hardcoded embedded FILES constant — no user input involved
SSRF (scripts) 1 Build script fetching a hardcoded URL for PDF generation
ReDoS 2 Docs editor JS — not served in a server context
Insecure Randomness 5 Used for non-cryptographic purposes (branch naming, forecasting) — acceptable

🟠 Low-Risk Findings Worth a Second Look

Severity Finding File Notes
High Insecure postMessage docs/public/wasm/compiler-worker.js:38 Verify origin is validated on message receipt in the worker
High Path Traversal pkg/cli/download_workflow.go:105 path written to sparse-checkout file; verify newlines/special chars are rejected upstream

No immediate remediation required — these are low-risk with contextual mitigations.


Scanned by Sighthound · Run 29318157120

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by 🛡️ Sighthound Security Scan for #44465 · 30.4 AIC · ⌖ 5.69 AIC · ⊞ 4.1K ·

…compile lock files

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, address unresolved review comments, and rerun checks once the branch is up to date.

...

  • ✅ Reviews — All 4 review threads remain resolved.
  • ✅ Checks (local) — make fmt, make golint-custom, go test ./pkg/workflow/..., make agent-report-progress all pass. 257/257 workflows compiled, 0 errors, lock files in sync.
  • ❓ Checks (CI) — Two failures found on the d9ebe1a merge commit. Fixed in this push:
    • lint-go (panicinlibrarycode): behavior_defined_engine.go:67 had a panic(fmt.Errorf(...)) call in mustNewBuiltinBehaviorDefinedEngine. Removed the helper and moved error handling inline in agentic_engine.go. Fixed in 3e3ac16.
    • test (pkg/parser): passes locally — likely a transient CI flake on that commit.
    • Smoke CI agent step failure: infra/LLM-based run, not locally reproducible.
  • ✅ Mergeable — Branch is up to date with main (merged d9ebe1a, 0 conflicts), no conflicts.

Hand-off: CI must be re-triggered by a maintainer (CGO lint-go and /smoke-opencode) before merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants