[deps-release-notes] awf v0.25.63 action items

[github-actions]

Release Notes Action Items for awf 0.25.48 → 0.25.63

This issue summarizes upstream release notes for the awf dependency between the previously pinned version (0.25.48) and the new pinned version (0.25.63), highlighting items that may need follow-up in ado-aw.

The companion version-bump PR is titled chore(deps): update AWF_VERSION to 0.25.63.

Releases analyzed

• v0.25.49
• v0.25.50
• v0.25.51
• v0.25.52
• v0.25.53
• v0.25.54
• v0.25.55
• v0.25.56
• v0.25.57
• v0.25.58
• v0.25.60
• v0.25.63

Security fixes

• v0.25.49: Hardened Copilot proxy auth normalization to avoid malformed Authorization headers — a proxy security hardening that prevents malformed credentials from reaching the upstream API. (v0.25.49)

Notable features for ado-aw to adopt

• v0.25.53: Model fallback feature added to AWF — the firewall now supports a model fallback configuration; ado-aw could document or surface this as a front-matter option so consumers can specify a fallback model when their primary model is unavailable. (v0.25.53)
• v0.25.57: AWF_DIND env var and ARC/DinD sibling-socket auto-detection documented — AWF now auto-detects Docker-in-Docker environments via a sibling socket; ado-aw could document the AWF_DIND variable or pass it through for consumers running agents in ARC/DinD pipeline pools. (v0.25.57)
• v0.25.58: Pre-startup model validation via requestedModel config — the AWF api-proxy now validates the requested model before starting; ado-aw could surface earlier, clearer errors when a consumer specifies an invalid model in engine.model. (v0.25.58)
• v0.25.63: Correctly capture Responses API cache reads in token usage rollups — fixes under-reporting of cached token reads in OTel token usage data, improving the accuracy of ado-aw audit token statistics. (v0.25.63)

---

This issue was opened automatically by the dependency version updater workflow.

Generated by Dependency Version Updater · sonnet46 2.2M · ◷