feat: unify schema versioning — use repo release tag for all schemas, publish JSONL schemas as release assets

[Copilot]

AWF had two inconsistent schema versioning schemes: config schema used awf-config.v1.schema.json (independent v1), while JSONL schemas used audit/v1 / token-usage/v1 constants and were never published as release assets. The v1 naming was ambiguous and external consumers couldn't pin to a specific release's schema.

Schema files

• Renamed schemas/audit.v1.schema.json → schemas/audit.schema.json and schemas/token-usage.v1.schema.json → schemas/token-usage.schema.json
• Deleted docs/awf-config.v1.schema.json; only awf-config.schema.json remains
• Removed the independent "version": "1" field from config schema body
• Changed _schema JSON Schema constraint from const to pattern: ^audit/v\d+\.\d+\.\d+(-\w+)?$ (allows dev-build suffix)

_schema wire-format field now embeds the writer's version

// Before
{"_schema":"audit/v1","ts":1761074374.646,...}
{"_schema":"token-usage/v1","timestamp":"2025-01-01T00:00:00Z",...}

// After (for v0.26.0)
{"_schema":"audit/v0.26.0","ts":1761074374.646,...}
{"_schema":"token-usage/v0.26.0","timestamp":"2025-01-01T00:00:00Z",...}

• src/squid-config.ts: reads version from package.json at module load and interpolates it into the Squid logformat string; audit records reflect the AWF CLI version
• containers/api-proxy/Dockerfile: AWF_VERSION is now baked into the api-proxy image at build time via ARG AWF_VERSION=0.0.0-dev / ENV AWF_VERSION; the release workflow passes --build-arg AWF_VERSION=<version> so each released image carries its own correct version. Token-usage records therefore reflect the api-proxy image version, which remains correct even when --image-tag pins the proxy to a different release
• containers/api-proxy/token-tracker.js: reads AWF_VERSION from the baked-in env var; emits a stderr warning if unset and falls back to 0.0.0-dev; updated validateTokenUsageRecord to allow the -dev suffix via regex pattern
• src/docker-manager.ts: no longer injects AWF_VERSION — the container's baked-in version is used instead, with a comment explaining the rationale

Release workflow

• scripts/generate-schema.mjs: no longer writes a v1 file; generates all three schemas (awf-config, audit, token-usage) with versioned $id URLs at release time
• .github/workflows/release.yml: copies all three schemas to release/ and uploads them as release assets; keeps awf-config.v1.schema.json as a compatibility alias (identical to awf-config.schema.json) so existing consumers are not broken

Release asset URLs follow the pattern:

https://github.com/github/gh-aw-firewall/releases/download/<tag>/awf-config.schema.json
https://github.com/github/gh-aw-firewall/releases/download/<tag>/awf-config.v1.schema.json  ← compatibility alias
https://github.com/github/gh-aw-firewall/releases/download/<tag>/audit.schema.json
https://github.com/github/gh-aw-firewall/releases/download/<tag>/token-usage.schema.json

Tests & docs

• squid-config.test.ts: asserts the exact package.json version string in the logformat (not just a semver-shaped regex)
• token-tracker.test.js: adds a jest.isolateModules() describe block that sets AWF_VERSION=9.8.7 and verifies the emitted _schema is exactly token-usage/v9.8.7; all existing pattern assertions tightened to (-\w+)?$
• Updated schema.test.ts, log-parser.test.ts, schemas/README.md, and docs/releasing.md with new versioning policy, download URLs, and a deprecation/migration note for the old awf-config.v1.schema.json raw URL
• Updated samples/audit/audit.jsonl sample file

[github-actions]

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit 4d97374

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	85.75%	85.84%	📈 +0.09%
Statements	85.63%	85.72%	📈 +0.09%
Functions	88.11%	88.11%	➡️ +0.00%
Branches	78.65%	78.69%	📈 +0.04%

📁 Per-file Coverage Changes (2 files)

File	Lines (Before → After)	Statements (Before → After)
src/squid-config.ts	96.9% → 96.9% (+0.01%)	97.0% → 97.0% (+0.02%)
src/docker-manager.ts	87.4% → 87.7% (+0.29%)	87.0% → 87.3% (+0.27%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

This PR moves AWF’s schema versioning away from ad hoc v1 filenames and toward release-version-based identifiers, so config schemas, audit logs, and token-usage logs all reference the repo version in a more unified way. It touches runtime emitters, schema generation, release packaging, tests, samples, and docs to align the new naming/versioning model across the codebase.

Changes:

• Replaces *.v1.schema.json naming with stable filenames and semver-pattern _schema fields for audit/token-usage records.
• Updates schema generation and release packaging to publish config, audit, and token-usage schemas as release assets with versioned $id values.
• Threads AWF version information into runtime log emitters and refreshes tests, samples, and documentation to reflect the new contract.

Show a summary per file

File	Description
src/squid-config.ts	Stamps audit JSONL _schema with the AWF version in generated Squid config.
src/squid-config.test.ts	Updates audit logformat tests for semver-style _schema values.
src/schema.test.ts	Removes legacy v1-schema expectations from config schema tests.
src/logs/log-parser.test.ts	Refreshes parser fixture data to use versioned audit _schema values.
src/docker-manager.ts	Forwards AWF_VERSION into the api-proxy container environment.
src/awf-config-schema.json	Updates embedded config schema metadata to the new unversioned filename.
scripts/generate-schema.mjs	Reworks schema generation to emit config/audit/token-usage schemas with versioned $ids.
schemas/token-usage.schema.json	Renames/updates token usage schema to semver-pattern _schema validation.
schemas/audit.schema.json	Renames/updates audit schema to semver-pattern _schema validation.
schemas/README.md	Documents the new schema naming, release URLs, and _schema conventions.
samples/audit/audit.jsonl	Refreshes sample audit records to the new _schema format.
docs/releasing.md	Updates release documentation for the new schema assets and versioning model.
docs/awf-config.v1.schema.json	Removes the legacy version-suffixed config schema file.
docs/awf-config.schema.json	Drops the old in-body version field from the published config schema.
containers/api-proxy/token-tracker.test.js	Adjusts token-tracker tests for semver _schema handling.
containers/api-proxy/token-tracker.js	Emits versioned token-usage _schema values and validates them by pattern.
.github/workflows/release.yml	Changes release packaging to generate/upload the new schema asset set.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 17/17 changed files
• Comments generated: 7

[lpcox]

@copilot address the review feedback

[Copilot]

@copilot address the review feedback

Addressed all review feedback in commits c2e2b45 and f0ec5ea:

• Version source / mixed-image correctness: AWF_VERSION is now baked into the api-proxy Dockerfile via ARG AWF_VERSION=0.0.0-dev / ENV AWF_VERSION, and the release workflow passes --build-arg AWF_VERSION=<version_number>. docker-manager.ts no longer overrides it, so token-usage records reflect the api-proxy container version regardless of the CLI version or --image-tag pinning.

• awf-config.v1.schema.json kept as compatibility alias: the release workflow now copies awf-config.schema.json → awf-config.v1.schema.json and uploads both, so existing consumers that pin to …/releases/download/<tag>/awf-config.v1.schema.json continue to work.

• Docs migration note: docs/releasing.md documents the old v1 URL as deprecated but preserved as an alias, and notes that docs/awf-config.v1.schema.json in the repo has been removed.

• Tests assert exact version: squid-config.test.ts now asserts the exact package.json version string. token-tracker.test.js adds a jest.isolateModules() describe block that sets AWF_VERSION=9.8.7 and verifies the emitted _schema is exactly token-usage/v9.8.7.

• Fallback: changed from 0.0.0 to 0.0.0-dev with a warning log; schema patterns updated to allow the -dev suffix ((-\w+)?).

[github-actions]

Smoke Test Results:
✅ GitHub API: #2396, #2384
✅ Playwright: GitHub.com title verified
✅ File Writing: Test file created
✅ Bash: File verified

Status: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

🔬 Smoke Test Results

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP	⚠️ template vars unexpanded
File write/read	⚠️ template vars unexpanded

PR: feat: unify schema versioning — use repo release tag for all schemas, publish JSONL schemas as release assets
Author: @Copilot | Assignees: @lpcox, @Copilot

Overall: PARTIAL — MCP ✅, pre-step data not injected (template variables were not expanded by the runner).

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	✅ (PR #2396 fetched successfully)
GitHub.com HTTP connectivity	✅ (MCP API reachable)
File write/read	⚠️ Template vars not substituted (pre-step skipped)
BYOK inference (this response)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: PASS (core BYOK path verified)

PR author: @Copilot — Assignees: @lpcox, @Copilot

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test

• PR review, last 2 merged PR titles: ❌ unavailable (safeinputs-gh / GitHub MCP missing)
• GH CLI PR query, 2 PRs: ❌ unavailable (safeinputs-gh missing)
• Playwright github.com title contains GitHub: ✅
• Tavily search returned results: ❌ unavailable (Tavily MCP missing)
• File write + cat readback: ✅
• Latest discussion oracle comment: ❌ unavailable (github-discussion-query missing)
• npm ci && npm run build: ✅
• Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.14.1	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all versions match — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2398 · ● 523.2K · ◷

[github-actions]

Smoke Test: Gemini Engine Validation

• GitHub MCP Testing: ✅
• GitHub.com Connectivity: ✅ (HTTP 200)
• File Write/Read Test: ✅

Overall Status: PASS

@Copilot

💎 Faceted by Smoke Gemini

[github-actions]

Smoke Test Results

• Redis PING: ❌ (timeout — no response)
• PostgreSQL pg_isready: ❌ (no response)
• PostgreSQL SELECT 1: ❌ (skipped)

Overall: FAIL — host.docker.internal is unreachable on both ports 6379 and 5432 from this runner environment.

🔌 Service connectivity validated by Smoke Services