Cap /reflect effective-token totals at configured maxEffectiveTokens

[Copilot]

Bug Fix

/reflect could report effective_tokens.total_effective_tokens above the configured budget (e.g., ~46M with a 25M max), which made the reported budget state look inconsistent. The issue was in reflect-state presentation, not in request-blocking enforcement.

• Reflect-state clamping

  • Updated effective-token reflect output to cap displayed totals at max_effective_tokens.
  • remaining_effective_tokens and percent_used are now derived from the clamped value, so reported usage cannot exceed 100%.

• Enforcement behavior preserved

  • Kept internal over-budget tracking unchanged for guard/block decisions.
  • Limit enforcement still uses the true accumulated total.

• Focused boundary coverage

  • Added guard-level tests for:
    • below-max behavior (no clamp),
    • exact-max behavior (100%),
    • above-max behavior (reflected values clamp to max).

const reflectedTotal = Math.min(state.totalEffectiveTokens, config.max);
return {
  max_effective_tokens: config.max,
  total_effective_tokens: reflectedTotal,
  remaining_effective_tokens: Math.max(0, config.max - reflectedTotal),
  percent_used: Math.round((reflectedTotal / config.max) * 10000) / 100,
};

[Copilot]

Pull request overview

This PR updates the API proxy effective-token guard so /reflect reports budget usage capped at the configured maximum while preserving the true internal total for enforcement.

Changes:

• Clamps reflected total_effective_tokens to max_effective_tokens.
• Derives reflected remaining budget and percent used from the clamped value.
• Adds focused guard tests for below, exact, and over-budget reflect behavior.

Show a summary per file

File	Description
containers/api-proxy/guards/effective-token-guard.js	Caps effective-token values returned for reflect-state presentation.
containers/api-proxy/guards/effective-token-guard.test.js	Adds tests covering reflected budget clamping boundaries.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0

[github-actions]

Smoke Test Results

Test	Result
GitHub API	❌ FAIL
Playwright	✅ PASS
File verify	✅ PASS

Overall: PARTIAL (2/3 tests)

Notes:

• GitHub API failed due to gh CLI authentication not being configured (expected per safe-outputs limitations)
• Playwright successfully navigated to https://github.com and verified title contains 'GitHub'
• Smoke test marker file exists with expected content

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
1. GitHub MCP connectivity	❌ (401 Bad credentials)
2. GitHub.com HTTP	✅ HTTP 200
3. File write/read	❌ (pre-step outputs not substituted)
4. BYOK inference (this response)	✅

Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com.

Overall: FAIL — GitHub MCP auth and pre-step smoke data unavailable.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

refactor: [Export Audit] Remove test-only re-exports from barrel modules
feat: auto-forward OTEL_* env vars with one-shot token protection for headers
GitHub PR review: ✅
safeinputs-gh: ❌
Playwright: ✅
Tavily: ❌
File/Bash: ✅ | Discussion: ✅ | Build: ✅
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

🔬 Smoke Test Results

Test	Status
GitHub MCP connectivity	❌ (401 Bad credentials)
GitHub.com HTTP connectivity	❌ (template vars not expanded)
File write/read	❌ (template vars not expanded)

Overall: FAIL

The workflow template variables (${{ steps.smoke-data.outputs.* }}) were not expanded before reaching the agent, indicating a workflow configuration issue rather than an engine failure.

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test Results

• GitHub MCP Testing: ❌ (Tools not found)
• GitHub.com Connectivity: ❌ (Status 000/SSL error)
• File Writing: ✅
• Bash Tool Testing: ✅

Overall Status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Chroot Smoke Test Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all tests passed — Python and Node.js versions differ between host and chroot.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	❌	N/A	❌ FAIL
Java	caffeine	❌	N/A	❌ FAIL
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	0 tests	✅ PASS
Rust	zoxide	✅	0 tests	✅ PASS

Overall: 7/8 ecosystems passed — ❌ FAIL

---

❌ Failure Details

Java (gson, caffeine) — Both projects failed with:

[ERROR] Could not create local repository at /home/runner/.m2/repository

The /home/runner/.m2 directory is owned by root in this environment, preventing Maven from creating the local repository subdirectory (permission denied). This is an environment-level permission issue, not a code issue with the test projects themselves.

Generated by Build Test Suite for issue #3208 · ● 3.8M · ◷

[github-actions]

Smoke Test Results

• Redis PING: ❌ (no response / timeout)
• PostgreSQL pg_isready: ❌ (no response)
• PostgreSQL SELECT 1: ❌ (no response / timeout)

Overall: FAIL — host.docker.internal is unreachable from this runner environment. Service containers are not accessible.

🔌 Service connectivity validated by Smoke Services

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

I don’t see any actionable reviewer comments on this PR to address yet. Please point me to the specific feedback (comment link or details), and I’ll apply the requested changes right away.