fix: always route Gemini through api-proxy sidecar when --enable-api-proxy is active

[Copilot]

When --enable-api-proxy is enabled, GEMINI_API_BASE_URL and the GEMINI_API_KEY placeholder were only injected into the agent when GEMINI_API_KEY was already readable by the AWF process. If the key existed only as a GitHub Actions secret (not a runner-level env var), the Gemini CLI received neither — causing exit code 41 ("no auth method").

Changes

src/docker-manager.ts

• Removed if (config.geminiApiKey) guard around GEMINI_API_BASE_URL and placeholder GEMINI_API_KEY assignment
• Both are now set unconditionally when --enable-api-proxy is active; sidecar returns 503 if the real key is absent — explicit failure vs. silent auth error
• Warning about missing key is preserved

src/docker-manager.test.ts

• Updated test that asserted GEMINI_API_BASE_URL was undefined without a geminiApiKey
• Added test asserting the placeholder key is also always present without geminiApiKey

docs/api-proxy-sidecar.md

• Added GEMINI_API_KEY to the api-proxy env table
• Added GEMINI_API_BASE_URL / placeholder rows to agent env table with explanatory note on always-set behavior
• Added :::caution block: GEMINI_API_KEY must be exposed via env: in the workflow step, not only stored as a secret
• Added troubleshooting entry for exit code 41
• Fixed stale "only supports OpenAI and Anthropic" limitation; added port 10003 to container ports list

Before / after (agent environment when --enable-api-proxy is active, no geminiApiKey in runner env):

# Before
GEMINI_API_BASE_URL  → (not set)   ← CLI falls back to direct auth → exit 41
GEMINI_API_KEY       → (not set)

# After
GEMINI_API_BASE_URL  → http://172.30.0.30:10003   ← CLI uses proxy
GEMINI_API_KEY       → gemini-api-key-placeholder-for-credential-isolation

[Copilot]

Pull request overview

Ensures that when --enable-api-proxy is enabled, the agent is always configured to route Google Gemini traffic through the api-proxy sidecar (including always injecting GEMINI_API_BASE_URL and a placeholder GEMINI_API_KEY) to avoid Gemini CLI auth-preflight failures when the real key isn’t visible to the AWF process.

Changes:

• Update generateDockerCompose to always set GEMINI_API_BASE_URL + placeholder GEMINI_API_KEY whenever the api-proxy is enabled, and warn when the real key is missing.
• Adjust/add unit tests to assert the always-set Gemini env behavior under api-proxy mode.
• Expand api-proxy sidecar documentation for Gemini support, env vars, ports, and troubleshooting.

Show a summary per file

File	Description
src/docker-manager.ts	Always injects Gemini proxy base URL + placeholder key when api-proxy is enabled; keeps warning when real key is missing.
src/docker-manager.test.ts	Updates/extends tests to validate Gemini env vars are present even without geminiApiKey.
docs/api-proxy-sidecar.md	Documents Gemini env vars/port and adds guidance/troubleshooting for key exposure and failures.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

docs/api-proxy-sidecar.md:351

• The "API keys not detected" snippet and suggested remediation mention only OPENAI_API_KEY/ANTHROPIC_API_KEY, but the CLI warning message includes Copilot tokens and GEMINI_API_KEY as well. Consider updating this block to mirror the actual warning text and list of supported env vars.

### API keys not detected

⚠️ API proxy enabled but no API keys found in environment
Set OPENAI_API_KEY or ANTHROPIC_API_KEY to use the proxy

• Files reviewed: 3/3 changed files
• Comments generated: 4

[Copilot]

The "Required environment variables" list appears incomplete: the CLI warning path treats COPILOT_GITHUB_TOKEN / COPILOT_API_KEY as valid ways to enable the api-proxy as well, but they are not listed here. Consider updating this list so it matches the actual supported credentials for --enable-api-proxy.

This issue also appears on line 346 of the same file.

Suggested change

	- `GEMINI_API_KEY` — Google Gemini API key
	- `GEMINI_API_KEY` — Google Gemini API key
	- `COPILOT_GITHUB_TOKEN` — GitHub Copilot access token
	- `COPILOT_API_KEY` — GitHub Copilot API key

[Copilot]

In GitHub Actions, setting GEMINI_API_KEY under a step's env: does not automatically make it visible to the awf process if awf is executed via sudo (sudo typically drops non-whitelisted env vars). Consider updating this caution/example to show using sudo -E/--preserve-env=GEMINI_API_KEY (or otherwise ensure GEMINI_API_KEY is available to the privileged awf process), so users don't still hit the "key not set" warning unexpectedly.

[Copilot]

This troubleshooting section describes exit code 41 occurring when GEMINI_API_KEY is missing in the runner env, but with the new behavior GEMINI_API_KEY placeholder is always set in the agent when --enable-api-proxy is active. That should prevent the Gemini CLI from failing its "no auth method" preflight; instead, Gemini requests should fail with the sidecar's 503 response when the real key is absent. Consider rewriting this section to reflect the post-change failure mode (503 from proxy) and/or clarify the specific conditions where exit code 41 can still occur.

[Copilot]

Now that GEMINI_API_BASE_URL / GEMINI_API_KEY placeholder are always set when --enable-api-proxy is active, the agent's pre-flight health check should also validate Gemini proxy configuration/connectivity (similar to OpenAI/Anthropic/Copilot). Currently the health check script only keys off OPENAI_BASE_URL, ANTHROPIC_BASE_URL, and COPILOT_API_URL, so a Gemini-only setup can skip checks entirely and proceed to runtime failures. Consider extending the pre-flight health check to include GEMINI_API_BASE_URL and placeholder validation.

Suggested change

	logger.warn('--enable-api-proxy is active but GEMINI_API_KEY is not set.');
	logger.warn(` The api-proxy Gemini listener (port ${API_PROXY_PORTS.GEMINI}) will start in fallback mode and return 503 responses until GEMINI_API_KEY is set.`);
	logger.warn(' Set GEMINI_API_KEY in the AWF runner environment to enable Gemini credential isolation.');
	throw new Error(
	`--enable-api-proxy is active but GEMINI_API_KEY is not set. ` +
	`Refusing to continue because Gemini proxy traffic would be configured with a placeholder key only, ` +
	`and the api-proxy Gemini listener on port ${API_PROXY_PORTS.GEMINI} would otherwise fail later with 503 responses.`
	);

[github-actions]

Documentation Preview

Documentation build failed for this PR. View logs.

Built from commit f01ee4a

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	85.31%	85.40%	📈 +0.09%
Statements	85.17%	85.25%	📈 +0.08%
Functions	87.50%	87.50%	➡️ +0.00%
Branches	77.58%	77.63%	📈 +0.05%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/docker-manager.ts	86.1% → 86.4% (+0.32%)	85.7% → 86.0% (+0.31%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[github-actions]

🤖 Smoke Test Results

Test	Status
GitHub MCP (fix: always route Gemini through api-proxy sidecar when --enable-api-proxy is active)	✅
GitHub.com connectivity (HTTP 200)	✅
File write/read (smoke-test-copilot-24314916415.txt)	✅

Overall: PASS

PR by @app/copilot-swe-agent · Assignees: @lpcox @Copilot

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test Results — Run 24314916431

✅ GitHub MCP: #1940 "perf(security-guard): reduce Claude token cost ~32%", #1937 "fix: increase claude-token-optimizer timeout from 10 to 15 minutes"
✅ Playwright: github.com title contains "GitHub"
✅ File write: /tmp/gh-aw/agent/smoke-test-claude-24314916431.txt created
✅ Bash verify: Smoke test passed for Claude at Sun Apr 12 19:49:37 UTC 2026

Overall: PASS

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test Results (Codex)

• perf(security-guard): reduce Claude token cost ~32% via turn cap, relevance gate, and conciseness ✅
• fix: increase claude-token-optimizer timeout from 10 to 15 minutes ✅
• GitHub MCP last 2 merged PRs: ✅
• safeinputs-gh PR list query: ❌
• Playwright github.com title contains "GitHub": ✅
• Tavily web search: ❌
• File write + cat readback: ✅
• Discussion query/comment: ❌
• npm ci && npm run build: ✅
  Overall: FAIL

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Smoke Test: GitHub Actions Services Connectivity ✅

All connectivity checks passed:

Service	Check	Result
Redis host.docker.internal:6379	PING	✅ PONG
PostgreSQL host.docker.internal:5432	pg_isready	✅ accepting connections
PostgreSQL smoketest db	SELECT 1	✅ returns 1

Note: redis-cli was not available; Redis was verified via nc with the Redis inline protocol.

🔌 Service connectivity validated by Smoke Services

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.14.1	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all versions match — Python minor patch differs (3.12.13 vs 3.12.3) and Node.js major version differs (v24 vs v20).

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	all passed	✅ PASS
Node.js	execa	✅	all passed	✅ PASS
Node.js	p-limit	✅	all passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Notes

• Java: Maven local repository directory /home/runner/.m2/repository was owned by root; resolved by configuring a writable local repo path (/tmp/gh-aw/agent/m2-repo) in settings.xml.
• All other ecosystems ran without issues.

Generated by Build Test Suite for issue #1946 · ● 840.6K · ◷