github · pelikhan · May 22, 2026 · May 21, 2026 · May 21, 2026 · May 21, 2026
diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml
diff --git a/.github/workflows/smoke-pi.lock.yml b/.github/workflows/smoke-pi.lock.yml
diff --git a/.github/workflows/smoke-pi.md b/.github/workflows/smoke-pi.md
@@ -17,6 +17,8 @@ engine:
   id: pi
   model: copilot/claude-sonnet-4-20250514
 strict: true
+runtimes:
+  node: {}
 imports:
   - shared/gh.md
   - shared/reporting-otlp.md

diff --git a/actions/setup/js/awf_reflect.cjs b/actions/setup/js/awf_reflect.cjs
@@ -26,7 +26,7 @@ const AWF_API_PROXY_REFLECT_URL = "http://api-proxy:10000/reflect";
 // co-located with other AWF firewall observability data so it is included in the agent artifact.
 const AWF_REFLECT_OUTPUT_PATH = "/tmp/gh-aw/sandbox/firewall/awf-reflect.json";
 // Milliseconds to wait for the /reflect endpoint before giving up.
-const AWF_REFLECT_TIMEOUT_MS = 5000;
+const AWF_REFLECT_TIMEOUT_MS = 60000;
 // Milliseconds to wait for each models_url fallback fetch (shorter than the main reflect timeout).
 const AWF_MODELS_URL_TIMEOUT_MS = 3000;
 // Gemini model name prefix stripped from model IDs in the Gemini models API response.
@@ -165,7 +165,15 @@ async function enrichReflectModels(reflectData, timeoutMs, logger) {
  *   logger?: (msg: string) => void,
  *   writeFileSync?: (path: string, data: string, options: object) => void,
  * }=} options
- * @returns {Promise<void>}
+ * @returns {Promise<{
+ *   ok: boolean,
+ *   reflectUrl: string,
+ *   outputPath: string,
+ *   bytesWritten?: number,
+ *   reason?: "unexpected_status"|"timeout"|"request_failed",
+ *   status?: number,
+ *   error?: string,
+ * }>}
  */
 async function fetchAWFReflect(options) {
   const reflectUrl = (options && options.reflectUrl) || AWF_API_PROXY_REFLECT_URL;
@@ -178,7 +186,9 @@ async function fetchAWFReflect(options) {
   logger(`awf-reflect: fetching ${reflectUrl} (timeout=${timeoutMs}ms)`);
 
   const ac = new AbortController();
+  let timedOut = false;
   const timer = setTimeout(() => {
+    timedOut = true;
     logger(`awf-reflect: request timed out after ${timeoutMs}ms`);
     ac.abort();
   }, timeoutMs);
@@ -187,7 +197,13 @@ async function fetchAWFReflect(options) {
     const res = await fetch(reflectUrl, { signal: ac.signal });
     if (!res.ok) {
       logger(`awf-reflect: unexpected status ${res.status}, skipping`);
-      return;
+      return {
+        ok: false,
+        reflectUrl,
+        outputPath,
+        reason: "unexpected_status",
+        status: res.status,
+      };
     }
     const reflectData = await res.json();
     // Attempt to fill in null models for configured providers by fetching directly
@@ -198,15 +214,35 @@ async function fetchAWFReflect(options) {
     fs.mkdirSync(path.dirname(outputPath), { recursive: true });
     writeFile(outputPath, enrichedBody, { encoding: "utf8" });
     logger(`awf-reflect: saved ${enrichedBody.length}B to ${outputPath}`);
+    return {
+      ok: true,
+      reflectUrl,
+      outputPath,
+      bytesWritten: enrichedBody.length,
+    };
   } catch (err) {
     const e = /** @type {Error} */ err;
     if (e.name === "AbortError") {
-      return; // already logged above
+      return {
+        ok: false,
+        reflectUrl,
+        outputPath,
+        reason: "timeout",
+        error: timedOut ? `request timed out after ${timeoutMs}ms` : e.message,
+      };
     }
     logger(`awf-reflect: request failed: ${e.message}`);
+    return {
+      ok: false,
+      reflectUrl,
+      outputPath,
+      reason: "request_failed",
+      error: e.message,
+    };
   } finally {
     clearTimeout(timer);
   }
+
 }
 
 if (typeof module !== "undefined" && module.exports) {

diff --git a/actions/setup/js/awf_reflect.test.cjs b/actions/setup/js/awf_reflect.test.cjs
@@ -22,7 +22,7 @@ describe("awf_reflect.cjs", () => {
     it("exports expected default values", () => {
       expect(AWF_API_PROXY_REFLECT_URL).toBe("http://api-proxy:10000/reflect");
       expect(AWF_REFLECT_OUTPUT_PATH).toBe("/tmp/gh-aw/sandbox/firewall/awf-reflect.json");
-      expect(AWF_REFLECT_TIMEOUT_MS).toBe(5000);
+      expect(AWF_REFLECT_TIMEOUT_MS).toBe(60000);
       expect(AWF_MODELS_URL_TIMEOUT_MS).toBe(3000);
       expect(GEMINI_MODEL_NAME_PREFIX).toBe("models/");
     });
@@ -198,14 +198,20 @@ describe("awf_reflect.cjs", () => {
       const logs = [];
 
       try {
-        await fetchAWFReflect({
+        const result = await fetchAWFReflect({
           reflectUrl: "http://api-proxy:10000/reflect",
           outputPath,
           timeoutMs: 3000,
           modelsTimeoutMs: 1000,
           logger: msg => logs.push(msg),
         });
 
+        expect(result).toEqual({
+          ok: true,
+          reflectUrl: "http://api-proxy:10000/reflect",
+          outputPath,
+          bytesWritten: expect.any(Number),
+        });
         const saved = JSON.parse(fs.readFileSync(outputPath, "utf8"));
         expect(saved.endpoints[0].models).toEqual(["gpt-4o", "gpt-4o-mini"]);
         expect(logs.some(l => l.includes("saved "))).toBe(true);
@@ -224,7 +230,13 @@ describe("awf_reflect.cjs", () => {
           timeoutMs: 500,
           logger: msg => logs.push(msg),
         })
-      ).resolves.toBeUndefined();
+      ).resolves.toEqual({
+        ok: false,
+        reflectUrl: "http://api-proxy:10000/reflect",
+        outputPath: "/tmp/gh-aw-test-noop.json",
+        reason: "request_failed",
+        error: "ECONNREFUSED",
+      });
       expect(logs.some(l => l.includes("request failed"))).toBe(true);
     });
 
@@ -238,7 +250,13 @@ describe("awf_reflect.cjs", () => {
           timeoutMs: 500,
           logger: msg => logs.push(msg),
         })
-      ).resolves.toBeUndefined();
+      ).resolves.toEqual({
+        ok: false,
+        reflectUrl: "http://api-proxy:10000/reflect",
+        outputPath: "/tmp/gh-aw-test-noop.json",
+        reason: "unexpected_status",
+        status: 503,
+      });
       expect(logs.some(l => l.includes("unexpected status 503"))).toBe(true);
     });
 

diff --git a/actions/setup/js/pi_provider.cjs b/actions/setup/js/pi_provider.cjs
@@ -82,6 +82,94 @@ function resolveGatewayUrl(provider) {
   return `http://api-proxy:${port}`;
 }
 
+/**
+ * Join a base URL and relative API path without duplicating slashes.
+ *
+ * @param {string} baseUrl
+ * @param {string} apiPath
+ * @returns {string}
+ */
+function joinApiUrl(baseUrl, apiPath) {
+  return `${baseUrl.replace(/\/+$/, "")}${apiPath}`;
+}
+
+/**
+ * Resolve the Pi model's inferred provider request target for logging.
+ *
+ * @param {any} model
+ * @returns {{ api: string, method: string, url: string }}
+ */
+function resolveProviderRequestTarget(model) {
+  const api = typeof model?.api === "string" && model.api ? model.api : "(unknown api)";
+  const method = "POST";
+  const baseUrl = typeof model?.baseUrl === "string" && model.baseUrl ? model.baseUrl : "";
+
+  if (!baseUrl) {
+    return { api, method, url: "(baseUrl unavailable)" };
+  }
+
+  switch (api) {
+    case "openai-completions":
+      return { api, method, url: joinApiUrl(baseUrl, "/chat/completions") };
+    case "openai-responses":
+    case "azure-openai-responses":
+    case "openai-codex-responses":
+      return { api, method, url: joinApiUrl(baseUrl, "/responses") };
+    case "anthropic":
+    case "anthropic-messages":
+      return { api, method, url: joinApiUrl(baseUrl, "/messages") };
+    case "mistral-conversations":
+      return { api, method, url: joinApiUrl(baseUrl, "/conversations") };
+    default:
+      return { api, method, url: baseUrl };
+  }
+}
+
+/**
+ * Format response header names for logs without printing sensitive values.
+ *
+ * @param {Record<string, string>|undefined|null} headers
+ * @returns {string}
+ */
+function formatResponseHeaderNames(headers) {
+  const names = Object.keys(headers || {})
+    .map(name => String(name).toLowerCase())
+    .sort();
+  return names.length > 0 ? names.join(",") : "none";
+}
+
+/**
+ * Log extra context when the AWF /reflect call does not produce a snapshot.
+ *
+ * @param {{
+ *   phase: string,
+ *   provider: string,
+ *   model: string,
+ *   result: {
+ *     ok: boolean,
+ *     reflectUrl: string,
+ *     outputPath: string,
+ *     reason?: string,
+ *     status?: number,
+ *     error?: string,
+ *   },
+ *   logger: (msg: string) => void,
+ * }} params
+ * @returns {void}
+ */
+function logReflectFailure(params) {
+  const { phase, provider, model, result, logger } = params;
+  if (!result || result.ok) {
+    return;
+  }
+
+  const status = typeof result.status === "number" ? ` status=${result.status}` : "";
+  const error = result.error ? ` error=${JSON.stringify(result.error)}` : "";
+  logger(
+    `reflect_failure phase=${phase} provider=${provider || "(no provider prefix)"} model=${model || "(not set)"} url=${result.reflectUrl} output=${result.outputPath} reason=${result.reason || "unknown"}${status}${error}`
+  );
+}
+
 /**
  * Register a Pi provider and any aliases.
  *
@@ -175,8 +263,44 @@ function registerConfiguredProviders(pi, logger) {
  */
 function piProviderExtension(pi) {
   const log = DEFAULT_LOGGER;
+  /** @type {{ api: string, method: string, url: string }|null} */
+  let lastProviderRequest = null;
+  /** @type {{ status: number, responseHeaders: string }|null} */
+  let lastProviderResponse = null;
   registerConfiguredProviders(pi, log);
 
+  pi.on("before_provider_request", (_event, ctx) => {
+    lastProviderRequest = resolveProviderRequestTarget(ctx && ctx.model);
+    lastProviderResponse = null;
+    const provider = ctx?.model?.provider || "(unknown provider)";
+    const model = ctx?.model?.id || getConfiguredModel() || "(unknown model)";
+    log(`provider_request provider=${provider} model=${model} api=${lastProviderRequest.api} method=${lastProviderRequest.method} url=${lastProviderRequest.url}`);
+  });
+
+  pi.on("after_provider_response", (event, ctx) => {
+    const request = lastProviderRequest || resolveProviderRequestTarget(ctx && ctx.model);
+    lastProviderResponse = {
+      status: event.status,
+      responseHeaders: formatResponseHeaderNames(event.headers),
+    };
+    const provider = ctx?.model?.provider || "(unknown provider)";
+    const model = ctx?.model?.id || getConfiguredModel() || "(unknown model)";
+    log(`provider_response provider=${provider} model=${model} status=${event.status} method=${request.method} url=${request.url} response_headers=${lastProviderResponse.responseHeaders}`);
+  });
+
+  pi.on("message_end", event => {
+    const message = event && event.message;
+    if (message?.role !== "assistant" || message?.stopReason !== "error" || !message?.errorMessage) {
+      return;
+    }
+    const request = lastProviderRequest || { api: message.api || "(unknown api)", method: "POST", url: "(request unavailable)" };
+    const status = lastProviderResponse ? String(lastProviderResponse.status) : "no-response";
+    const responseHeaders = lastProviderResponse ? lastProviderResponse.responseHeaders : "none";
+    log(
+      `provider_error provider=${message.provider || "(unknown provider)"} model=${message.model || "(unknown model)"} api=${request.api} status=${status} method=${request.method} url=${request.url} response_headers=${responseHeaders} error=${JSON.stringify(message.errorMessage)}`
+    );
+  });
+
   pi.on("agent_start", async () => {
     const model = getConfiguredModel();
     const provider = extractProviderFromModel(model);
@@ -196,13 +320,14 @@ function piProviderExtension(pi) {
     // This is best-effort: failures are logged but do not affect the agent session.
     // Skip when AWF_REFLECT_ENABLED is not "1" (e.g. sandbox.agent: false — no api-proxy running).
     if (process.env.AWF_REFLECT_ENABLED === "1") {
-      await fetchAWFReflect({
+      const result = await fetchAWFReflect({
         reflectUrl: AWF_API_PROXY_REFLECT_URL,
         outputPath: AWF_REFLECT_OUTPUT_PATH,
         timeoutMs: AWF_REFLECT_TIMEOUT_MS,
         modelsTimeoutMs: AWF_MODELS_URL_TIMEOUT_MS,
         logger: log,
       });
+      logReflectFailure({ phase: "agent_start", provider, model, result, logger: log });
     }
   });
 
@@ -211,13 +336,16 @@ function piProviderExtension(pi) {
     // This is best-effort: failures are logged but do not affect the agent exit code.
     // Skip when AWF_REFLECT_ENABLED is not "1" (e.g. sandbox.agent: false — no api-proxy running).
     if (process.env.AWF_REFLECT_ENABLED === "1") {
-      await fetchAWFReflect({
+      const model = getConfiguredModel();
+      const provider = extractProviderFromModel(model);
+      const result = await fetchAWFReflect({
         reflectUrl: AWF_API_PROXY_REFLECT_URL,
         outputPath: AWF_REFLECT_OUTPUT_PATH,
         timeoutMs: AWF_REFLECT_TIMEOUT_MS,
         modelsTimeoutMs: AWF_MODELS_URL_TIMEOUT_MS,
         logger: log,
       });
+      logReflectFailure({ phase: "agent_end", provider, model, result, logger: log });
     }
   });
 }
@@ -227,3 +355,6 @@ module.exports.getConfiguredModel = getConfiguredModel;
 module.exports.extractProviderFromModel = extractProviderFromModel;
 module.exports.resolveGatewayUrl = resolveGatewayUrl;
 module.exports.registerConfiguredProviders = registerConfiguredProviders;
+module.exports.resolveProviderRequestTarget = resolveProviderRequestTarget;
+module.exports.formatResponseHeaderNames = formatResponseHeaderNames;
+module.exports.logReflectFailure = logReflectFailure;