Fix engine CLI args and containerized detection output contract

[Copilot]

Bug Fix

What was the bug?

Engine adapters and generated container smoke workflows had drifted from the pinned CLI/runtime contracts: Copilot/Codex used invalid --print forms, Claude stream JSON lacked --verbose, and containerized detection produced JSON output that gh-aw’s parser did not consume.

How did you fix it?

• Engine CLI construction

  • Replaced Copilot/Codex --print usage with valid prompt-file based command forms.
  • Added Claude --verbose for --output-format stream-json.
  • Added exact argument construction tests.

• Containerized detection contract

  • Updated sibling workflow generation to write structured output to result.json.
  • Appends compact gh-aw parser-compatible output to detection.log:

threat-detect "${args[@]}" --output "$result_path" /tmp/gh-aw/threat-detection
python3 -c 'import json,sys; print("THREAT_DETECTION_RESULT:" + json.dumps(json.load(open(sys.argv[1])), separators=(",", ":")))' "$result_path" >> detection.log

• Generated workflows
  • Regenerated Copilot, Claude, and Codex container lock workflows.
  • Set THREAT_DETECTION_REFLECT_URL to the AWF api-proxy reflect endpoint.
  • Pinned the default detector image to ghcr.io/github/gh-aw-threat-detection:v1.0.0 instead of latest.

Testing

• make lint
• make test
• scripts/create-threat-detection-sibling-workflows.py --check
• Secret scan
• CodeQL/security validation
• Reviewed latest containerized smoke workflow run status