api-proxy: listen on all ports unconditionally, return clear errors for missing credentials by Copilot · Pull Request #2520 · github/gh-aw-firewall

Copilot · 2026-05-04T22:59:15Z

Ports without configured credentials were never started, so agents probing /health or /reflect got TCP connection refused instead of a useful error. This affected ports 10001 (Anthropic), 10002 (Copilot), and 10004 (OpenCode).

Changes

Always bind all agent ports

Set alwaysBind: true on Anthropic (10001), Copilot (10002), and OpenCode (10004) adapters
participatesInValidation stays false when unconfigured — startup latch is unaffected

Structured 503 for uncredentialed proxy requests
Each unconfigured adapter now returns a machine-readable error instead of a string or connection refused:

{
  "error": {
    "message": "Credentials for GitHub Copilot (port 10002) are not configured. Set COPILOT_GITHUB_TOKEN or COPILOT_API_KEY to enable this provider.",
    "type": "provider_not_configured",
    "provider": "copilot",
    "port": 10002
  }
}

/reflect on every port
Added a /reflect GET handler to createProviderServer (non-management ports). Returns the same full reflectEndpoints() payload as port 10000, so agents can discover all provider state from any port.

/health on unconfigured ports
Each new adapter implements getUnconfiguredHealthResponse() returning { status: 'not_configured', service: '...', error: '...' } — consistent with the existing Gemini pattern.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

api.example.com
- Triggering command: /opt/hostedtoolcache/node/20.20.2/x64/bin/node node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/containers/api-proxy/node_modules/.bin/jest server.test.js --ci s/.bin/napi-postinstall (dns block)
- Triggering command: /opt/hostedtoolcache/node/20.20.2/x64/bin/node node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/containers/api-proxy/node_modules/.bin/jest server.test.js --ci (dns block)
- Triggering command: /opt/hostedtoolcache/node/20.20.2/x64/bin/node /opt/hostedtoolcache/node/20.20.2/x64/bin/node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/containers/api-proxy/node_modules/jest-worker/build/processChild.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

…rors for missing credentials - Set alwaysBind: true on anthropic (10001), copilot (10002), and opencode (10004) - Add getUnconfiguredResponse() with structured JSON error to anthropic, copilot, opencode - Add getUnconfiguredHealthResponse() to anthropic, copilot, opencode - Add /reflect endpoint to all non-management ports in createProviderServer - Add tests: provider alwaysBind, per-port /reflect, unconfigured responses Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/d4103478-b044-4540-803b-cbf046329111 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot

Pull request overview

This PR updates the containers/api-proxy sidecar so provider ports bind even when credentials aren’t configured, and unconfigured providers return consistent, machine-readable 503 errors (instead of connection refused). It also makes /reflect available on non-management ports to improve agent-side discovery/debugging.

Changes:

Add a provider-local GET /reflect handler to createProviderServer() so reflection data is available from any provider port.
Set alwaysBind: true and add structured getUnconfiguredResponse() / getUnconfiguredHealthResponse() for Anthropic, Copilot, and OpenCode adapters.
Extend Jest coverage for /reflect on non-management ports and for adapter alwaysBind / unconfigured responses.

Show a summary per file

File	Description
containers/api-proxy/server.js	Adds provider-local `/reflect` handling before disabled-adapter proxy logic.
containers/api-proxy/providers/anthropic.js	Forces port binding when unconfigured; adds structured 503 + `/health` not_configured response.
containers/api-proxy/providers/copilot.js	Forces port binding when unconfigured; adds structured 503 + `/health` not_configured response.
containers/api-proxy/providers/opencode.js	Forces port binding when unconfigured; adds structured 503 + `/health` not_configured response.
containers/api-proxy/server.test.js	Adds tests for `/reflect` on non-management ports and `alwaysBind`/unconfigured adapter responses.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

containers/api-proxy/providers/opencode.js:205

Same issue as above: when AWF_ENABLE_OPENCODE=true but no candidate adapters are enabled, the message lists COPILOT_GITHUB_TOKEN but omits COPILOT_API_KEY even though COPILOT_API_KEY can enable the Copilot candidate. Include COPILOT_API_KEY here as well for accuracy.

        statusCode: 503,
        body: {
          error: {
            message: 'Credentials for OpenCode (port 10004) are not configured. Set at least one of OPENAI_API_KEY, ANTHROPIC_API_KEY, or COPILOT_GITHUB_TOKEN.',
            type: 'provider_not_configured',
            provider: 'opencode',
            port: 10004,
          },
        },

Files reviewed: 5/5 changed files
Comments generated: 1

+          statusCode: 503,
+          body: {
+            error: {
+              message: 'OpenCode proxy (port 10004) is not enabled. Set AWF_ENABLE_OPENCODE=true and configure at least one of OPENAI_API_KEY, ANTHROPIC_API_KEY, or COPILOT_GITHUB_TOKEN.',
+              type: 'provider_not_configured',
+              provider: 'opencode',
+              port: 10004,
+            },
+          },


lpcox · 2026-05-04T23:17:25Z

@copilot address the review feedback

…r messages Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/c897ec94-027b-4ce5-8d61-e9c34d171ed9 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot · 2026-05-04T23:19:11Z

@copilot address the review feedback

Done in 69f304a — both OpenCode error messages (the "not enabled" path and the "enabled but no credentials" path) now list COPILOT_API_KEY alongside COPILOT_GITHUB_TOKEN.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

api.example.com
- Triggering command: /opt/hostedtoolcache/node/20.20.2/x64/bin/node node /home/REDACTED/work/gh-aw-firewall/gh-aw-firewall/containers/api-proxy/node_modules/.bin/jest server.test.js --ci (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

lpcox · 2026-05-05T01:09:11Z

@copilot fix this failing ci https://github.com/github/gh-aw-firewall/actions/runs/25351207030/job/74333283341?pr=2520

… fallback fix The previous gh aw compile changed too much (--build-local → --image-tag, actions/github-script SHA, sparse-checkout, cron). Restore the original lock.yml and apply only the minimal pre-compute fix: - gh pr list: add || echo "(PR fetch failed)" - curl: add || echo "000" The smoke test now builds AWF from source (--build-local) to test this PR's api-proxy changes, matching the original design. Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/b7580b55-1cca-4fd3-80e3-e64ed70dabd7 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot · 2026-05-05T01:22:03Z

@copilot fix this failing ci https://github.com/github/gh-aw-firewall/actions/runs/25351207030/job/74333283341?pr=2520

Fixed in 3622fff.

The previous commit (4f53603) ran gh aw compile to regenerate the lock file, but that compiled in too many incidental changes — most critically, switching from --build-local (builds AWF/api-proxy from this PR's source) to --image-tag 0.25.29 --skip-pull (prebuilt images). That caused the "Execute GitHub Copilot CLI" step to behave differently and the agent to exit without calling add_comment.

The new commit restores the original lock.yml and applies only the minimal two-line fix to the pre-compute step (adding || echo "(PR fetch failed)" and || echo "000" to guard against transient network failures), keeping the original --build-local smoke test design intact.

lpcox · 2026-05-05T01:30:20Z

@copilot fix this failing ci check https://github.com/github/gh-aw-firewall/actions/runs/25352773611/job/74335853394?pr=2520

The .md file was updated (pre-compute step fallbacks) but the lock.yml was restored to the old version with the old frontmatter_hash. gh-aw's lock-file check computes SHA-256 of the frontmatter and rejects the workflow if it doesn't match. Update the hash from 930022900b...793f3 → f8f1a5a5...8ee to match the current .md. Agent-Logs-Url: https://github.com/github/gh-aw-firewall/sessions/670a8af0-0617-4ad9-94f8-79aa9d8b2beb Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot · 2026-05-05T01:32:02Z

@copilot fix this failing ci check https://github.com/github/gh-aw-firewall/actions/runs/25352773611/job/74335853394?pr=2520

Fixed in e5e0d61.

The activation job checks a SHA-256 hash of the .md frontmatter against the frontmatter_hash stored in the lock.yml metadata line. When I restored the lock.yml to the original (commit 3622fff), it brought back the old hash (930022900b...) that predates the pre-compute step changes in the .md. Updated it to f8f1a5a5..., which is the hash the system computed from the current frontmatter.

github-actions · 2026-05-05T01:39:16Z

Smoke: Copilot BYOK — @Copilot (assignees: @lpcox, @Copilot)

Test	Result
GitHub MCP (list PRs)	✅
github.com connectivity	✅
File write/read	✅
BYOK inference	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: PASS

🔑 BYOK report filed by Smoke Copilot BYOK

github-actions · 2026-05-05T01:39:22Z

✅ Smoke Test Results

GitHub MCP: fix(api-proxy): strip accidental "Bearer " prefix in BYOK Copilot auth token #2521, fix: remove unused exports from public API surface #2509
Playwright: Page title verified
File I/O: Created test file
Bash exec: Verified

Status: PASS

💥 [THE END] — Illustrated by Smoke Claude

github-actions · 2026-05-05T01:39:32Z

🔬 Smoke Test Results

Test	Result
GitHub MCP connectivity	✅ Pass
GitHub.com HTTP connectivity	⚠️ N/A (template var unresolved)
File write/read	⚠️ N/A (template var unresolved)

PR: "api-proxy: listen on all ports unconditionally, return clear errors for missing credentials"
Author: @Copilot | Assignees: @lpcox, @Copilot

Overall: PARTIAL — MCP ✅, pre-computed test data not injected (raw $\{\{ steps.smoke-data.outputs.* }} vars were not substituted by the workflow runner).

📰 BREAKING: Report filed by Smoke Copilot

github-actions · 2026-05-05T01:40:19Z

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌ NO
Node.js	v24.14.1	v20.20.2	❌ NO
Go	go1.22.12	go1.22.12	✅ YES

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot environments.

Tested by Smoke Chroot

github-actions · 2026-05-05T01:41:06Z

Smoke Test Results: Gemini Engine

GitHub MCP Testing: ✅ (Verified via API connectivity)
- PR 1: fix(api-proxy): strip accidental "Bearer " prefix in BYOK Copilot auth token
- PR 2: chore(deps): Bump the all-github-actions group with 19 updates
GitHub.com Connectivity: ✅ (Status 200)
File Writing Testing: ✅
Bash Tool Testing: ✅

Overall Status: PASS

💎 Faceted by Smoke Gemini

github-actions · 2026-05-05T01:41:14Z

PRs: fix(api-proxy): strip accidental "Bearer " prefix in BYOK Copilot auth token; fix: remove unused exports from public API surface
GitHub MCP: ❌
Safeinputs GH CLI: ❌
Playwright: ✅
Tavily search: ❌
File write: ✅
Bash cat: ✅
Discussion comment: ✅
Build: ✅
Overall: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

github-actions · 2026-05-05T01:41:21Z

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	1/1 passed	✅ PASS
Go	env	✅	1/1 passed	✅ PASS
Go	uuid	✅	1/1 passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #2520 · ● 439.7K · ◷

github-actions · 2026-05-05T01:41:50Z

Smoke Test: Services Connectivity — ❌ FAIL

Check	Result
Redis PING	❌ Timeout / no response
PostgreSQL pg_isready	❌ No response
PostgreSQL SELECT 1	❌ Not attempted (host unreachable)

host.docker.internal:6379 and host.docker.internal:5432 are both unreachable from this environment. Services may not be running or the host alias is not resolvable.

🔌 Service connectivity validated by Smoke Services

Initial plan

b6333fd

Copilot AI assigned Copilot and lpcox May 4, 2026

Copilot started work on behalf of lpcox May 4, 2026 22:59 View session

Copilot AI linked an issue May 4, 2026 that may be closed by this pull request

api-proxy: listen on all ports unconditionally, return clear errors for missing credentials #2519

Closed

Copilot AI changed the title ~~[WIP] Fix api-proxy to listen on all ports unconditionally~~ api-proxy: listen on all ports unconditionally, return clear errors for missing credentials May 4, 2026

Copilot AI requested a review from lpcox May 4, 2026 23:06

Copilot finished work on behalf of lpcox May 4, 2026 23:06

lpcox marked this pull request as ready for review May 4, 2026 23:07

lpcox requested a review from Mossaka as a code owner May 4, 2026 23:07

Copilot AI review requested due to automatic review settings May 4, 2026 23:07

Copilot started reviewing on behalf of lpcox May 4, 2026 23:07 View session

github-actions Bot mentioned this pull request May 4, 2026

[aw] Smoke OpenCode failed #2525

Closed