Enable --enable-api-proxy for Claude and Codex engines (#15533)

* Enable --enable-api-proxy for Claude and Codex engines, pre-pull api-proxy image

The AWF api-proxy sidecar securely holds LLM API keys and proxies requests
through the firewall. It exposes two endpoints:
  - Port 10000: OpenAI API proxy (for Codex)
  - Port 10001: Anthropic API proxy (for Claude)

Changes:
- claude_engine.go: Add --enable-api-proxy to AWF args when firewall is enabled
- codex_engine.go: Add --enable-api-proxy to AWF args when firewall is enabled
- docker.go: Pre-pull ghcr.io/github/gh-aw-firewall/api-proxy image for Claude
  and Codex engines (required because --skip-pull is used)
- Add unit tests for docker image collection and engine flag generation
- Recompile all workflow lock files

Fixes the smoke-claude failure where AWF tried to start the api-proxy container
but the image wasn't pre-pulled:
  Container awf-api-proxy  Error response from daemon: No such image:
  ghcr.io/github/gh-aw-firewall/api-proxy:0.16.5

Note: The api-proxy Docker image must also be published to GHCR via the
gh-aw-firewall release workflow before smoke tests will pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Bump DefaultFirewallVersion to v0.17.0

v0.17.0 includes the api-proxy container image in the release pipeline,
which is required for --enable-api-proxy to work with --skip-pull.

Recompiled all 150 workflow lock files to reference v0.17.0 images.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Update frontmatter hash and correct GitHub domain in allowed domains list

* [WIP] Enable --enable-api-proxy for Claude and Codex engines (#15550)

* Initial plan

* Revert Codex API proxy changes

- Remove --enable-api-proxy flag from codex_engine.go
- Update docker.go to exclude Codex from API proxy image collection
- Remove Codex test case from enable_api_proxy_test.go
- Remove Codex test case from docker_api_proxy_test.go
- Recompile workflows: smoke-codex, codex-github-remote-mcp-test, changeset

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Refactor download container images command to remove api-proxy from multiple workflows

* Refactor API proxy to use supportsLLMGateway engine flag (#15557)

* Initial plan

* Use supportsLLMGateway flag to control api-proxy image and --enable-api-proxy flag

- Set Claude engine supportsLLMGateway: true
- Set Codex engine supportsLLMGateway: false
- Refactor docker.go to check engine's supportsLLMGateway flag instead of hardcoded engine name
- Refactor claude_engine.go to conditionally add --enable-api-proxy based on supportsLLMGateway
- Add same conditional logic to codex_engine.go for future LLM gateway support
- Update tests to verify behavior for all engines

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

* Apply formatting to claude_engine.go

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Author: 4 people