Skip to content

Threat detection always fails with codex + custom OPENAI_BASE_URL: detection api-proxy never receives the custom target #45923

Description

@alvistar

Summary

When the codex engine is pointed at a custom OpenAI-compatible endpoint via engine.env.OPENAI_BASE_URL, the main agent job works, but the threat-detection job always fails (agentic execution exit 1) and every safe-output comment gets the agentic threat detected / results could not be parsed caution banner.

Environment

  • gh-aw v0.81.6, AWF containers 0.27.11
  • engine: {id: codex, env: {OPENAI_BASE_URL: "https://<internal-router>/v1", OPENAI_API_KEY: ...}}
  • self-hosted Linux runner, firewall rootless (sandbox.agent.sudo: false)
  • safe-outputs: {add-comment: {max: 1}}

Symptom

Detection job log: codex fails with repeated models fetch returned 503 for http://api-proxy:10000/v1/models, then DETECTION_AGENTIC_EXECUTION_OUTCOME: failure. Main agent job in the same run succeeds against the same endpoint.

Root cause (from source)

  1. The AWF api-proxy targets.openai.host is derived only from WorkflowData.EngineConfig.Env["OPENAI_BASE_URL"]pkg/workflow/awf_config.go:507 (extractAPITargetHost).
  2. The detection job rebuilds its WorkflowData with EngineConfig{ID, APITarget} and does not inherit Envpkg/workflow/threat_detection_external.go (threatDetectionData.EngineConfig = &EngineConfig{ID: engineID} / the canReuseThreatDetectionEngineConfigForExternalDetector branch copies APITarget only).
  3. Result: the detection api-proxy has no custom openai target, dials the default host with a key that is only valid on the custom router → every request fails → 503 to codex.

Related secondary issue: getThreatDetectionAdditionalAllowedDomains (pkg/workflow/threat_detection_helpers.go:73) propagates custom network.allowed entries to the detection firewall only when COPILOT_PROVIDER_BASE_URL is set, so codex+custom-endpoint users lose their squid allowlist entries in detection too. Setting engine.api-target works around the allowlist half (via mergeAPITargetDomains) but not the api-proxy target half.

Expected

Detection should reach the same endpoint the main engine uses: inherit the engine base-URL env vars (OPENAI_BASE_URL, ANTHROPIC_BASE_URL) into the detection EngineConfig.Env, or compute the detection awf-config apiProxy targets from the parent WorkflowData.

Workaround

safe-outputs: {threat-detection: false} — which drops the detection layer entirely for custom-endpoint users.

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions