Optimize export-audit workflow token usage by precomputing audits and bounding verification

[Copilot]

API Surface & Export Audit was consistently expensive (high effective token usage, low prefix-cache reuse) and occasionally spiked into outlier runs due to repeated in-agent bash verification loops. This update shifts deterministic audits into pre-agent steps, refactors prompt layout for cacheability, and adds explicit verification limits.

• Precompute deterministic Phase 4/5 audits

  • Added test_imports step to collect test import-path findings.
  • Added apip_exports step to collect api-proxy provider export consistency findings.
  • Replaced Phase 4/5 inline bash blocks in the prompt body with references to precomputed outputs.

• Refactor prompt structure for prefix caching

  • Moved all ${{ steps.*.outputs.* }} interpolations into a single ## Pre-computed Data block at the end of the prompt.
  • Kept phase instructions static and front-loaded so stable instruction text can be reused across turns.

• Bound verification loops

  • Added a ## Verification Budget section:
    • evaluate top 10 candidates only,
    • max 2 bash checks per candidate,
    • mark unconfirmed and skip after budget is exhausted.

• Regenerate compiled workflow

  • Recompiled export-audit.md into export-audit.lock.yml so runtime prompt/env wiring reflects new step outputs and prompt layout.

- name: Audit test file imports
  id: test_imports
  run: |
    {
      echo "TEST_IMPORTS<<EOF"
      # deterministic grep-based audit output
      echo "EOF"
    } >> "$GITHUB_OUTPUT"

- name: Audit api-proxy module exports
  id: apip_exports
  run: |
    {
      echo "APIP_EXPORTS<<EOF"
      # deterministic provider export audit output
      echo "EOF"
    } >> "$GITHUB_OUTPUT"

[Copilot]

Pull request overview

This PR optimizes the API Surface & Export Audit agentic workflow by moving more deterministic audit work into pre-agent steps, restructuring prompt data for cacheability, and bounding verification work.

Changes:

• Adds precomputed test-import and api-proxy export audit steps.
• Moves dynamic step-output data into a final “Pre-computed Data” prompt section.
• Regenerates the compiled workflow lock file.

Show a summary per file

File	Description
.github/workflows/export-audit.md	Adds new audit steps and updates prompt phases, verification budget, and precomputed data layout.
.github/workflows/export-audit.lock.yml	Regenerated compiled workflow reflecting new steps, env wiring, and prompt template changes.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 3

[lpcox]

@copilot fix this failed ci check https://github.com/github/gh-aw-firewall/actions/runs/25967614686/job/76333782113?pr=3258

[Copilot]

@copilot fix this failed ci check https://github.com/github/gh-aw-firewall/actions/runs/25967614686/job/76333782113?pr=3258

Fixed in commit 7d35f77. The API proxy container was failing with Cannot find module './oidc-token-provider-base'; I updated containers/api-proxy/Dockerfile to copy oidc-token-provider-base.js into the image so the API Proxy test job can start successfully.

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	❌ (401 Bad credentials)
GitHub.com HTTP connectivity	⚠️ (pre-step data unavailable — template vars not substituted)
File write/read (/tmp/gh-aw/agent/smoke-test-copilot-25968722339.txt)	✅

Overall: FAIL — GitHub MCP returned 401; template variable substitution did not occur for pre-step outputs.

PR author/assignees could not be retrieved due to MCP auth failure.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Claude Engine Smoke Test Results

❌ Test 1 (GitHub API): FAIL — gh CLI authentication error (HTTP 401)
✅ Test 2 (Playwright): PASS — GitHub page title confirmed
✅ Test 3 (File verify): PASS — smoke-test file exists with correct content

Overall: 2/3 PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP connectivity	⚠️ Template var unresolved
File write/read	⚠️ Template var unresolved
BYOK inference (api-proxy → api.githubcopilot.com)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: FAIL — pre-step template variables (${{ steps.smoke-data.outputs.* }}) were not substituted, and GitHub MCP returned 401. BYOK inference path itself is functional.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

[awf] Support Azure Copilot BYOK env routing in api-proxy and resolve gpt-5.4 via gpt-5 family aliases
Refactor Azure OIDC provider to inherit shared token lifecycle from BaseOidcTokenProvider
✅ Playwright, file write/read, npm ci, build
❌ GitHub safeinputs/MCP tools, Tavily search tool
✅ Discussion fallback comment posted (#191)
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test Results\n\n- GitHub MCP: ❌\n- Connectivity: ❌\n- File Writing: ✅\n- Bash Tool: ✅\n\nOverall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Note (Java): The default ~/.m2 directory was owned by root (permissions issue in this runner). Maven was run with -Dmaven.repo.local=/tmp/gh-aw/agent/.m2/repository as a workaround. All Java tests passed successfully.

Generated by Build Test Suite for issue #3258 · ● 5.8M · ◷

[github-actions]

Smoke Test Results — FAIL

Check	Result
Redis PING	❌ TIMEOUT/FAIL
PostgreSQL pg_isready	❌ no response
PostgreSQL SELECT 1	❌ TIMEOUT/FAIL

Overall: FAIL — host.docker.internal is not reachable on either port 6379 or 5432. Service containers may not be running or the host alias is not resolvable in this environment.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🧪 Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot