Add model policy frontmatter + import unioning + env policy overrides

[Copilot]

This change introduces model policy controls in workflow frontmatter (models.allowed, models.disallowed) and maps them to AWF’s allowedModels / disallowedModels config. It also makes policy behavior import-safe by unioning model sets across composed workflows, with centralized environment overrides taking precedence.

• Frontmatter + schema support

  • Extended models frontmatter schema to support policy fields alongside optional pricing providers.
  • Added typed parsing for:
    • models.allowed
    • models.disallowed

• Import compatibility (union semantics)

  • Extended import extraction/results to carry model policy sets from imported workflows.
  • Added workflow merge logic to union policy sets across imports + main workflow.
  • Added conflict handling so disallowed takes precedence when the same model appears in both allowed and disallowed sets.

• Cost data cleanliness + parse warnings

  • Tightened import-side model-cost extraction to only accept valid non-empty models.providers objects.
  • Added import warnings for invalid models.allowed / models.disallowed / models.providers shapes and invalid entries, while safely skipping bad values.

• Centralized policy overrides

  • Added compiler env overrides:
    • GHAW_POLICY_MODELS_ALLOWED
    • GHAW_POLICY_MODELS_DISALLOWED
  • Override values are parsed as model lists and applied with precedence over frontmatter/import-derived policy.

• AWF config mapping

  • Emitted merged/effective policy into AWF config:
    • apiProxy.allowedModels
    • apiProxy.disallowedModels

# workflow frontmatter
models:
  allowed: [gpt-5, claude-sonnet]
  disallowed: [gpt-5-pro]

// generated AWF apiProxy fragment
{
  "allowedModels": ["gpt-5", "claude-sonnet"],
  "disallowedModels": ["gpt-5-pro"]
}

---

pr-sous-chef https://github.com/github/gh-aw/actions/runs/28333890571

Generated by 👨‍🍳 PR Sous Chef · 49.3 AIC · ⌖ 1.05 AIC · ⊞ 17.3K · ◷

---

pr-sous-chef: requested branch update via https://github.com/github/gh-aw/actions/runs/28336535351

Generated by 👨‍🍳 PR Sous Chef · 57.9 AIC · ⌖ 1.4 AIC · ⊞ 17.3K · ◷

---

pr-sous-chef: refresh branch for workflow run 28338043309

Generated by 👨‍🍳 PR Sous Chef · 47.3 AIC · ⌖ 1.47 AIC · ⊞ 17.3K · ◷

---

Generated by 👨‍🍳 PR Sous Chef · 67.9 AIC · ⌖ 1.53 AIC · ⊞ 17.6K · ◷

---

pr-sous-chef run: https://github.com/github/gh-aw/actions/runs/28381497646

Generated by 👨‍🍳 PR Sous Chef · 72.2 AIC · ⌖ 1.02 AIC · ⊞ 17.6K · ◷

[Copilot]

Pull request overview

Adds end-to-end “model policy” support to gh-aw workflows, allowing authors (and centralized operators via env vars) to control which models are permitted/blocked, and ensuring policies compose safely across imported workflows before being emitted into the generated AWF config.

Changes:

• Extended workflow frontmatter models to support allowed, disallowed, and blocked policy lists (alongside optional pricing providers).
• Propagated model policy through import extraction and merged policies across imports + main workflow using union semantics.
• Emitted effective model policy to AWF config (apiProxy.allowedModels / apiProxy.disallowedModels) with env override precedence.

Show a summary per file

File	Description
pkg/workflow/workflow_builder.go	Extracts main workflow model policy and unions it with imported policy sets into WorkflowData.
pkg/workflow/workflow_builder_model_policy_test.go	Adds unit tests for policy extraction and union merge behavior.
pkg/workflow/model_aliases_test.go	Verifies frontmatter parsing populates parsed model policy lists.
pkg/workflow/frontmatter_types.go	Adds parsed frontmatter fields for model policy lists.
pkg/workflow/frontmatter_parsing.go	Parses model policy lists from raw frontmatter into typed config.
pkg/workflow/compilerenv/manager.go	Adds env-driven policy overrides for allowed/blocked model sets.
pkg/workflow/compilerenv/manager_test.go	Tests env override parsing and “unset” behavior.
pkg/workflow/compiler_types.go	Plumbs merged model policy into WorkflowData.
pkg/workflow/awf_config.go	Maps effective model policy (with env precedence) into AWF apiProxy config.
pkg/workflow/awf_config_test.go	Tests AWF config emission and env override precedence.
pkg/parser/schemas/main_workflow_schema.json	Updates schema for models to include policy fields and make providers optional.
pkg/parser/import_processor.go	Extends ImportsResult to carry extracted model policy sets.
pkg/parser/import_field_extractor.go	Extracts model policy from imported workflows and avoids treating policy keys as aliases.
pkg/parser/import_field_extractor_test.go	Adds tests ensuring model policy is extracted (and not misinterpreted as aliases) and can coexist with model costs.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (2)

pkg/parser/import_field_extractor.go:639

• When an imported workflow has models.providers plus model policy keys (allowed/disallowed/blocked), this appends the entire rawModels object into acc.modelCosts. That will later flow into WorkflowData.ModelCosts and into GH_AW_INFO_MODEL_COSTS, leaking policy keys into a payload that is expected to match the models.json pricing structure (providers-only). This can break downstream cost merging/parsing.

	if _, hasProviders := rawModels["providers"]; hasProviders {
		acc.modelCosts = append(acc.modelCosts, rawModels)
		if providers, ok := rawModels["providers"].(map[string]any); ok {
			parserLog.Printf("Extracted model costs from import: providers=%d", len(providers))
		} else {

pkg/workflow/workflow_builder.go:166

• Now that models frontmatter can contain policy keys (allowed/disallowed/blocked) without providers, toolsResult.parsedFrontmatter.ModelCosts may be non-empty even when there is no pricing data (because it unmarshals the whole models object). extractMainModelCostsOverlay currently returns that map as a cost overlay, which can cause policy-only models to be emitted as GH_AW_INFO_MODEL_COSTS and/or pollute the providers overlay with policy keys.

	}

	return workflowData
}

• Files reviewed: 14/14 changed files
• Comments generated: 0
• Review effort level: Low

[github-actions]

🤖 PR Triage

Category	feature
Risk	🔴 High
Priority	High (score 50/100)
Action	⏳ defer · Batch: active-drafts

Score breakdown: Impact 35 · Urgency 5 · Quality 10

New model policy frontmatter controls (models.allowed/disallowed/blocked) with import-safe union semantics (+483/-11, 14 files). Just created (<1 h), draft, no CI yet. Well-described and scoped. Deferred pending CI and agent completion. Part of pr-batch:active-drafts group (#41824, #41822, #41821).

Generated by 🔧 PR Triage Agent · 87.6 AIC · ⌖ 14.9 AIC · ⊞ 5.4K · ◷

[github-actions]

Hey @Copilot 👋 — great work on the model policy frontmatter feature! The addition of models.allowed, models.disallowed, and models.blocked to workflow frontmatter — along with import-safe union semantics and centralized env overrides — is a well-scoped, coherent change.

The PR is well-structured:

• ✅ Clear, detailed description with YAML/JSON examples showing the before/after config shape.
• ✅ Tests across all touched layers: import_field_extractor_test.go, awf_config_test.go, compilerenv/manager_test.go, model_aliases_test.go, and the newly added workflow_builder_model_policy_test.go.
• ✅ No unrelated changes — every file touched is in service of the model policy feature.
• ✅ No new external dependencies introduced.

This looks ready for review. 🚀

Generated by ✅ Contribution Check · 307.9 AIC · ⌖ 20.6 AIC · ⊞ 6K · ◷

[pelikhan]

@copilot merge main and recompile

[pelikhan]

/review

[github-actions]

✅ PR Code Quality Reviewer completed the code quality review.

[github-actions]

Skills-Based Review 🧠

Applied /tdd, /grill-with-docs, and /improve-codebase-architecture — requesting changes on test coverage gaps and a correctness concern.

📋 Key Themes & Highlights

Key Themes

• Asymmetric wildcard behaviour (correctness): modelConflictsWithDisallowedPolicy only applies pattern matching when the disallowed side has wildcards — wildcard entries in allowed are never expanded. The behaviour is non-obvious and untested.
• Silent drops without warnings: two paths silently discard data — (a) parseModelPolicyList ignores non-string frontmatter entries without a warning (unlike the import path which warns), and (b) appendModelsField drops model aliases when providers is present.
• Test fragility: index-based warning assertions (acc.warnings[0]) panic on re-ordering instead of surfacing a clear failure message.
• Missing maintainability comments: two functions whose logic is non-obvious (resolveModelPolicyForAWFConfig, extractMainModelPolicyOverlay) lack the inline comment that the equivalent cost-overlay functions already carry.

Positive Highlights

• ✅ Solid three-layer policy design (frontmatter → import union → env override) with clean precedence semantics
• ✅ Good test coverage for the core merge/conflict/env-override paths
• ✅ Deterministic output via sort.Strings on both result slices
• ✅ Policy keys correctly excluded from cost overlays in both import and main paths
• ✅ smoke-claude.md used as a live integration smoke test for the new feature

🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 141.4 AIC · ⌖ 12.3 AIC · ⊞ 6.6K
_{Comment /matt to run again}

[gh-aw-bot]

@copilot please run the pr-finisher skill, refresh this branch from main, address the unresolved review feedback, and rerun checks once the branch is up to date.

Unresolved review feedback includes the asymmetric wildcard-policy correctness gap, missing test coverage, warning-handling cleanup, and the env-override/commentary follow-ups.

Generated by 👨‍🍳 PR Sous Chef · 47.3 AIC · ⌖ 1.47 AIC · ⊞ 17.3K · ◷

[Copilot]

@copilot please run the pr-finisher skill, refresh this branch from main, address the unresolved review feedback, and rerun checks once the branch is up to date.

Unresolved review feedback includ...

Addressed in d5664b2 and follow-up d9db05a (plus branch refresh merge 9e29c15).

Fixed and covered:

• symmetric wildcard-policy conflict handling (including allowed wildcard vs disallowed exact)
• additional test coverage for wildcard conflict, providers+aliases coexistence, and per-list env override behavior
• warning-handling cleanup in tests (no brittle index-based assertions)
• env-override/commentary clarifications and stricter env list parsing

Local validation passed: make fmt, make lint, make test-unit, make test, make recompile.

[github-actions]

🤖 PR Triage — §28342769269

Field	Value
Category	feature
Risk	high
Score	69/100
Priority	high
Action	fast_track
Status	Ready — CHANGES_REQUESTED (skills review), test quality 82/100

Score breakdown: Impact 42 · Urgency 18 · Quality 9

Rationale: Model policy enforcement (allowed/blocked model lists, frontmatter schema, env overrides). ~48h old. Test quality APPROVED (82/100). CHANGES_REQUESTED citing 3 correctness bugs: (1) allowed+blocked conflict handling, (2) policy key leakage into cost data, (3) silent parse failure. CI pending.

⚠️ Stale: ~48h without merge. Address 3 correctness bugs from skills review before merging.

🏷️ Label cleanup: please remove pr-action:defer, pr-batch:active-drafts, pr-batch:feature-promo (stale from prior triage — keep pr-action:fast_track only).

Generated by 🔧 PR Triage Agent · 107.8 AIC · ⌖ 10.9 AIC · ⊞ 5.4K · ◷

[gh-aw-bot]

@copilot please run the pr-finisher skill, refresh this branch from main, address the unresolved review feedback, and rerun checks once the branch is up to date.

Unresolved review feedback:

• github-actions[bot]: Add model policy frontmatter + import unioning + env policy overrides #41824 (review)

Generated by 👨‍🍳 PR Sous Chef · 67.9 AIC · ⌖ 1.53 AIC · ⊞ 17.6K · ◷

[Copilot]

@copilot please run the pr-finisher skill, refresh this branch from main, address the unresolved review feedback, and rerun checks once the branch is up to date.

Unresolved review feedback:...

Done in 99bb385 (with merge refresh in baf4d7f). I refreshed this branch from main, resolved the merge conflict in smoke-claude.lock.yml, and reran local validation (make fmt, make lint, make test-unit, make test, make recompile) including wasm-golden refresh for base drift. I also checked the referenced run (28346305014) and it has no failed jobs, and PR review threads currently return no unresolved items via API.

[github-actions]

🤖 PR Triage — §28357644191

Field	Value
Category	feature
Risk	🔴 High
Score	55/100 (Impact 30 · Urgency 15 · Quality 10)
Action	fast_track

⚠️ 55.1h old — CHANGES_REQUESTED blocking. Model policy frontmatter (models.allowed/models.disallowed) + import unioning + env overrides (+657/-23, 14 files). Review cited 3 correctness bugs. Author must resolve before merging. ⚠️ Label conflict: pr-action:defer + pr-action:fast_track are both set — pr-action:defer should be removed.

Generated by 🔧 PR Triage Agent · 89.9 AIC · ⌖ 12 AIC · ⊞ 5.4K · ◷

[github-actions]

🤖 PR Triage — §28376613466

Field	Value
Category	feature
Risk	🔴 High
Priority	🔴 High
Score	51 / 100
Action	🔁 batch_review
Age	60.8h ⚠️ STALE

Score breakdown: Impact 35 + Urgency 12 + Quality 4

Rationale: Significant feature (model policy frontmatter + import unioning + env overrides), but blocked by CHANGES_REQUESTED from github-actions bot. Author has not yet addressed the review. 929+/117−, 27 files — large change requiring careful review.

Batch: Groups with #42235 and #42226 (all have CHANGES_REQUESTED pending).

⚠️ Label conflict: This PR has both pr-action:defer and pr-action:fast_track plus stale batch labels (pr-batch:active-drafts, pr-batch:feature-promo). Please manually remove conflicting labels and keep only pr-action:batch_review. Carried over from §28357644191.

Generated by 🔧 PR Triage Agent · 93.2 AIC · ⌖ 14.6 AIC · ⊞ 5.4K · ◷

[gh-aw-bot]

@copilot please run the pr-finisher skill, address the unresolved review comment, and rerun checks after the branch is refreshed.

Unresolved review:

• github-actions[bot]: Add model policy frontmatter + import unioning + env policy overrides #41824 (review)

Generated by 👨‍🍳 PR Sous Chef · 72.2 AIC · ⌖ 1.02 AIC · ⊞ 17.6K · ◷

[Copilot]

@copilot please run the pr-finisher skill, address the unresolved review comment, and rerun checks after the branch is refreshed.

Unresolved review:...

Done in 522c083.

• refreshed this branch from main and resolved merge conflicts
• reran local checks: make fmt, make lint, make test-unit, make test, make recompile
• verified the referenced run (28381497646) has no failed jobs

The branch is current and locally validated. CI on this new HEAD still needs a maintainer-triggered rerun.