Rename supportsLLMGateway bool to llmGatewayPort int and remove SupportsLLMGateway() from interface

[Copilot]

• Update BaseEngine struct: replace supportsLLMGateway bool with llmGatewayPort int
• Remove per-engine SupportsLLMGateway() overrides
• Remove SupportsLLMGateway() int from the CodingAgentEngine interface
• Remove BaseEngine.SupportsLLMGateway() method; add unexported getLLMGatewayPort() for Register() validation
• Remove UsesAPIProxy field from AWFCommandConfig entirely — --enable-host-access and --enable-api-proxy are now added unconditionally in BuildAWFArgs
• Simplify docker.go: remove conditional registry lookup
• Clean up strict_mode_validation.go: remove dead llmGatewayPort < 0 branch and unused GetEngine call
• Update tests: remove TestSupportsLLMGateway, remove SupportsLLMGateway() assertion

Original prompt

Rename supportLLMGateway to llmGatewayPort in agentic workflows engine. It is mandatory, fail if < 0

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

---

Changeset

• Type: minor
• Description: Renamed the agentic workflow engine's supportsLLMGateway flag to llmGatewayPort, required/validated the gateway port, removed the SupportsLLMGateway interface hooks, and consolidated the API proxy/host-access workflow flags.

Generated by Changeset Generator for issue #18838

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• github.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "github.com"

See Network Configuration for more information.

---

---

✨ PR Review Safe Output Test - Run 22522442966

💥 [THE END] — Illustrated by Smoke Claude

[pelikhan]

@copilot remove SupportsLLMGateway() it must always be true

[Copilot]

@copilot remove SupportsLLMGateway() it must always be true

Done in dccbed6. Removed SupportsLLMGateway() from the interface and BaseEngine entirely. All callers simplified to usesAPIProxy := true, the dead < 0 branch in strict-mode validation was removed, and docker.go no longer needs to query the engine registry to decide whether to add the api-proxy image.

[pelikhan]

@copilot UsesAPIProxy is alway true. Remove and simplify code using it

[Copilot]

@copilot UsesAPIProxy is alway true. Remove and simplify code using it

Done in 5373113. Removed the UsesAPIProxy field from AWFCommandConfig entirely — --enable-host-access and --enable-api-proxy are now added unconditionally in BuildAWFArgs, and all four engine call sites no longer pass the field.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	2.53.0
jq	✅	1.7
yq	✅	v4.52.4
curl	✅	8.5.0
gh	✅	2.87.3
node	✅	v20.20.0
python3	✅	3.12.3
go	✅	1.24.13
java	✅	10.0.102
dotnet	✅	10.0.102

Result: 12/12 tools available ✅

Overall Status: PASS

🔧 Tool validation by Agent Container Smoke Test

[github-actions]

Commit pushed: 1df9e44

Generated by Changeset Generator

[github-actions]

Smoke test results for @pelikhan and @Copilot:

• ✅ GitHub MCP
• ✅ Safe Inputs GH CLI
• ❌ Serena MCP (not available)
• ✅ Playwright
• ✅ Web Fetch
• ✅ File Writing
• ✅ Bash Tool
• ✅ Discussion Interaction
• ✅ Build gh-aw
• ✅ Discussion Creation
• ✅ Workflow Dispatch
• ✅ PR Review

Overall: ⚠️ PARTIAL PASS (11/12 — Serena MCP unavailable)

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

💥 Automated smoke test review - all systems nominal! The rename from SupportsLLMGateway() bool to llmGatewayPort int is a clean simplification that removes an unnecessary abstraction layer.

💥 [THE END] — Illustrated by Smoke Claude

[Copilot]

Pull request overview

Renames per-engine LLM gateway support flag/method to a single llmGatewayPort int on BaseEngine, removes SupportsLLMGateway() from engine APIs, and makes AWF API-proxy/host-access flags unconditional.

Changes:

• Replace supportsLLMGateway bool + SupportsLLMGateway() overrides with llmGatewayPort int on BaseEngine and registry-time validation.
• Make AWF argument building always include --enable-host-access and --enable-api-proxy; remove UsesAPIProxy from AWFCommandConfig.
• Simplify strict-mode firewall validation/tests and ensure api-proxy image collection no longer depends on per-engine gateway support.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/workflow/agentic_engine.go	Reworks engine capability surface; introduces llmGatewayPort and registry validation.
pkg/workflow/awf_helpers.go	Removes UsesAPIProxy config and unconditionally enables host-access + api-proxy flags.
pkg/workflow/docker.go	Simplifies docker image collection for AWF sidecars (api-proxy).
pkg/workflow/strict_mode_validation.go	Removes engine lookup / LLM gateway branching from strict firewall validation.
pkg/workflow/strict_mode_llm_gateway_test.go	Updates strict-mode tests to align with new “general error” behavior.
pkg/workflow/claude_engine.go	Sets llmGatewayPort and removes per-engine SupportsLLMGateway() override/usage.
pkg/workflow/codex_engine.go	Sets llmGatewayPort and removes per-engine SupportsLLMGateway() override/usage.
pkg/workflow/copilot_engine.go	Sets llmGatewayPort and removes per-engine SupportsLLMGateway() override.
pkg/workflow/copilot_engine_execution.go	Removes conditional UsesAPIProxy wiring into AWF command build.
pkg/workflow/gemini_engine.go	Sets llmGatewayPort and removes per-engine SupportsLLMGateway() override/usage.
pkg/workflow/gemini_engine_test.go	Removes SupportsLLMGateway() assertion from capability tests.
.changeset/minor-rename-llmgateway-port.md	Adds changeset entry describing the rename and behavior changes.

Comments suppressed due to low confidence (1)

pkg/workflow/agentic_engine.go:378

• The llmGatewayPort validation only checks < 0, which allows the zero value (0) when an engine forgets to initialize the field. Since this value represents a network port (and built-in ports are positive), it would be safer to validate it’s within a valid port range (e.g., 1–65535) or at least > 0 to catch misconfiguration early.

	type portProvider interface{ getLLMGatewayPort() int }
	if p, ok := engine.(portProvider); ok && p.getLLMGatewayPort() < 0 {
		panic(fmt.Sprintf("engine '%s': llmGatewayPort must be >= 0, got %d", engine.GetID(), p.getLLMGatewayPort()))
	}

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

collectDockerImages only adds the api-proxy sidecar image when workflowData.AI != "". However, workflows that rely on the default engine can legitimately have AI == "" (the compiler falls back to GetDefaultEngine()), while AWF args now always include --enable-api-proxy and --skip-pull. In that case the workflow can fail at runtime because the required api-proxy image was never pre-downloaded. Consider removing the workflowData.AI != "" guard (or basing the decision on whether AWF will be invoked) so api-proxy is always included whenever the firewall/AWF is enabled.

See below for a potential fix:

		apiProxyImage := constants.DefaultFirewallRegistry + "/api-proxy:" + awfImageTag
		if !imageSet[apiProxyImage] {
			images = append(images, apiProxyImage)
			imageSet[apiProxyImage] = true
			dockerLog.Printf("Added AWF api-proxy sidecar container: %s", apiProxyImage)

[Copilot]

Register validates llmGatewayPort only when the engine satisfies an interface with an unexported method (getLLMGatewayPort). Engines implemented outside the workflow package can’t implement that method, so the assertion will always fail and the validation will be skipped. If llmGatewayPort is mandatory, consider making the port accessor exported (or part of a public optional interface) and/or treating “missing port provider” as an error so invalid/misconfigured engines can’t be registered silently.

This issue also appears on line 375 of the same file.