From 81daf329cbf98f9c35d1bc8da677ce2d84863166 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 21:18:27 +0000 Subject: [PATCH 1/3] Normalize Pi detection model for Copilot Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/threat_detection_inline_engine.go | 10 ++++++++++ pkg/workflow/threat_detection_test.go | 15 +++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/pkg/workflow/threat_detection_inline_engine.go b/pkg/workflow/threat_detection_inline_engine.go index 72b4c2cc588..a797032bc68 100644 --- a/pkg/workflow/threat_detection_inline_engine.go +++ b/pkg/workflow/threat_detection_inline_engine.go @@ -34,6 +34,13 @@ func (c *Compiler) buildDetectionEngineExecutionStep(data *WorkflowData) []strin if hasThreatDetectionEngineConfig { engineConfig = data.SafeOutputs.ThreatDetection.EngineConfig } + originalEngineID := data.AI + if data.EngineConfig != nil && data.EngineConfig.ID != "" { + originalEngineID = data.EngineConfig.ID + } + if hasThreatDetectionEngineConfig && data.SafeOutputs.ThreatDetection.EngineConfig.ID != "" { + originalEngineID = data.SafeOutputs.ThreatDetection.EngineConfig.ID + } // Get the engine instance engine, err := c.getAgenticEngine(engineSetting) @@ -87,6 +94,9 @@ func (c *Compiler) buildDetectionEngineExecutionStep(data *WorkflowData) []strin if detectionEngineConfig.APITarget == "" && data.EngineConfig != nil && data.EngineConfig.APITarget != "" { detectionEngineConfig.APITarget = data.EngineConfig.APITarget } + if detectionEngineConfig.ID == "copilot" && originalEngineID == "pi" { + detectionEngineConfig.Model = extractPiModelID(detectionEngineConfig.Model) + } // Create minimal WorkflowData for threat detection. // SandboxConfig with AWF enabled ensures the engine runs inside the firewall. diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index d1af1a6229c..14fa42f73f4 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -1269,6 +1269,21 @@ func TestCopilotDetectionDefaultModel(t *testing.T) { shouldContainModel: true, expectedModel: "gpt-4", }, + { + name: "pi engine threat detection normalizes provider-scoped model for copilot fallback", + data: &WorkflowData{ + AI: "pi", + EngineConfig: &EngineConfig{ + ID: "pi", + Model: "copilot/gpt-5.4", + }, + SafeOutputs: &SafeOutputsConfig{ + ThreatDetection: &ThreatDetectionConfig{}, + }, + }, + shouldContainModel: true, + expectedModel: "gpt-5.4", + }, { name: "copilot engine with threat detection engine config with custom model", data: &WorkflowData{ From 042f501a95e90dd1ecf12c4abe602d12c7ca906d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 21:25:09 +0000 Subject: [PATCH 2/3] Fix Pi threat detection model fallback Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/threat_detection_inline_engine.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkg/workflow/threat_detection_inline_engine.go b/pkg/workflow/threat_detection_inline_engine.go index a797032bc68..ceed5884684 100644 --- a/pkg/workflow/threat_detection_inline_engine.go +++ b/pkg/workflow/threat_detection_inline_engine.go @@ -94,7 +94,11 @@ func (c *Compiler) buildDetectionEngineExecutionStep(data *WorkflowData) []strin if detectionEngineConfig.APITarget == "" && data.EngineConfig != nil && data.EngineConfig.APITarget != "" { detectionEngineConfig.APITarget = data.EngineConfig.APITarget } - if detectionEngineConfig.ID == "copilot" && originalEngineID == "pi" { + if engineSetting == "copilot" && originalEngineID == "pi" { + // Pi requires provider/model syntax (for example "copilot/gpt-5.4"), but the + // Copilot CLI expects only the model ID. extractPiModelID preserves bare model + // names unchanged, so empty or already-normalized values keep their current + // fallback behavior while provider-scoped Pi models become Copilot-compatible. detectionEngineConfig.Model = extractPiModelID(detectionEngineConfig.Model) } From 79256e69d11ba1e2142b10d2ddcee0aba13ab65e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 25 Jun 2026 21:28:02 +0000 Subject: [PATCH 3/3] Document Pi detection fallback precedence Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/threat_detection_inline_engine.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/pkg/workflow/threat_detection_inline_engine.go b/pkg/workflow/threat_detection_inline_engine.go index ceed5884684..99ba687e63a 100644 --- a/pkg/workflow/threat_detection_inline_engine.go +++ b/pkg/workflow/threat_detection_inline_engine.go @@ -34,6 +34,10 @@ func (c *Compiler) buildDetectionEngineExecutionStep(data *WorkflowData) []strin if hasThreatDetectionEngineConfig { engineConfig = data.SafeOutputs.ThreatDetection.EngineConfig } + // Preserve the original engine identity before Pi is normalized to Copilot for + // detection. Precedence matches runtime engine resolution: explicit + // threat-detection.engine.id overrides the main engine config, which overrides + // the legacy top-level AI field. originalEngineID := data.AI if data.EngineConfig != nil && data.EngineConfig.ID != "" { originalEngineID = data.EngineConfig.ID