[awf] Support Azure Copilot BYOK env routing in api-proxy and resolve gpt-5.4 via gpt-5 family aliases

[Copilot]

Azure-hosted BYOK runs were failing before request execution because api-proxy ignored Copilot BYOK Azure env vars, then model resolution missed gpt-5.4 when only gpt-5 family aliases were configured. This PR wires Azure BYOK envs into the OpenAI adapter path and adds gpt-5.x → gpt-5 alias-family fallback behavior.

• Azure Copilot BYOK env compatibility (api-proxy service + OpenAI adapter)

  • Forward COPILOT_PROVIDER_TYPE, COPILOT_PROVIDER_BASE_URL, and COPILOT_PROVIDER_API_KEY into the api-proxy container from AWF config/env sources.
  • In providers/openai.js, treat COPILOT_PROVIDER_TYPE=azure + BYOK vars as OpenAI adapter configuration when explicit OPENAI_* is not set.
  • Parse host/path from COPILOT_PROVIDER_BASE_URL so Azure deployment base paths are preserved.
  • Keep precedence explicit: OPENAI_* config still overrides Copilot BYOK-derived values.

• Model resolution for gpt-5.4

  • Extend resolver behavior to fall back from gpt-5.<minor> to gpt-5 alias key when a direct alias entry is absent.
  • This allows existing gpt-5 family alias policies (e.g. copilot/gpt-5*) to resolve versioned requests like gpt-5.4 without requiring duplicate alias entries.

• Targeted coverage updates

  • Added adapter tests for Azure BYOK env ingestion and precedence rules.
  • Added compose-generation tests ensuring BYOK env propagation from both additionalEnv and envFile.
  • Added resolver test for gpt-5.4 family fallback resolution.

// openai.js (simplified)
const providerType = (env.COPILOT_PROVIDER_TYPE || '').trim().toLowerCase();
const byok = providerType === 'azure';
const { target, basePath } = parseByokBaseUrl(env.COPILOT_PROVIDER_BASE_URL);

const apiKey = openaiApiKey || (byok ? env.COPILOT_PROVIDER_API_KEY : undefined);
const rawTarget = (env.OPENAI_API_TARGET ? openaiTarget : undefined) || (byok ? target : undefined) || 'api.openai.com';
const explicitBasePath = openaiBasePath || (byok ? basePath : '');

[Copilot]

Pull request overview

Adds Azure Copilot BYOK environment routing to the api-proxy's OpenAI adapter and introduces a gpt-5.<minor> → gpt-5 family-alias fallback so versioned model IDs resolve against existing gpt-5 alias policies.

Changes:

• Forward COPILOT_PROVIDER_TYPE/BASE_URL/API_KEY from additionalEnv/envFile/envAll into the api-proxy container, and consume them in the OpenAI adapter (with OPENAI_* precedence preserved).
• Add gpt-5.<minor> → gpt-5 alias fallback in model-resolver.js.
• Add coverage for adapter env precedence, compose env propagation, and the resolver fallback.

Show a summary per file

File	Description
src/services/api-proxy-service.ts	Reads Copilot BYOK env values from config sources and injects them into api-proxy container env.
src/services/api-proxy-service.test.ts	Tests BYOK env propagation from additionalEnv and envFile.
containers/api-proxy/providers/openai.js	Accepts Azure Copilot BYOK envs as OpenAI adapter config, parses host/basePath from BYOK base URL, updates not-configured error message.
containers/api-proxy/oidc-token-provider.test.js	Covers BYOK-derived OpenAI config and OPENAI_* precedence over BYOK.
containers/api-proxy/model-resolver.js	Adds gpt-5.<minor> family fallback to the alias lookup.
containers/api-proxy/model-resolver.test.js	Tests gpt-5.4 resolves via the gpt-5 alias family.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 6/6 changed files
• Comments generated: 0

[github-actions]

❌ Smoke test results:

• GitHub API: ❌ (gh CLI auth not available)
• Playwright: ✅
• File verify: ✅

FAIL (2/3 tests passed)

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Smoke Test: Copilot BYOK (Offline) Mode

Test	Result
GitHub MCP connectivity	❌ (401 — MCP not authenticated in this run)
GitHub.com HTTP connectivity	⚠️ (pre-step output not resolved)
File write/read	⚠️ (pre-step output not resolved)
BYOK inference (agent responding)	✅

Note: Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Overall: FAIL — template variables (${{ steps.smoke-data.outputs.* }}) were not substituted before agent invocation; GitHub MCP returned 401.

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test Results

Test	Status
GitHub MCP connectivity	❌ 401 Bad credentials
GitHub.com HTTP	⚠️ Pre-step data not resolved (template vars unsubstituted)
File write/read	⚠️ Pre-step data not resolved (template vars unsubstituted)

Overall: FAIL — MCP credentials unavailable; pre-computed step outputs were not injected into the prompt.

cc @Copilot

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

• Redis PING: ❌ (timeout — no response on host.docker.internal:6379)
• PostgreSQL pg_isready: ❌ (no response on host.docker.internal:5432)
• PostgreSQL SELECT 1: ❌ (skipped — pg_isready failed)

Overall: FAIL

🔌 Service connectivity validated by Smoke Services

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.15.0	v20.20.2	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all versions match — Python and Node.js differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

Smoke Test Results

• GitHub MCP Testing: ❌ (Tool mcpscripts not found)
• GitHub.com Connectivity: ✅ (200 via proxy)
• File Writing Testing: ✅
• Bash Tool Testing: ✅

PR titles found in git log:

1. Codex: remove openai-proxy env_key requirement in postprocessed lock workflows (Codex: remove openai-proxy env_key requirement in postprocessed lock workflows #3234)

Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #3241 · ● 6.8M · ◷

[github-actions]

Last merged PRs:

• [awf] Support Azure Copilot BYOK env routing in api-proxy and resolve gpt-5.4 via gpt-5 family aliases
• Refactor Azure OIDC provider to inherit shared token lifecycle from BaseOidcTokenProvider
  ❌ GitHub MCP / safeinputs-gh
  ✅ Playwright title
  ❌ Tavily search
  ✅ File + bash
  ✅ Discussion comment
  ✅ npm ci && npm run build
  Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex